Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Similar documents
Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

HIPAA Training

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

MCCP Online Orientation

Information Privacy and Security

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Title: HIPAA PRIVACY ADMINISTRATIVE

Privacy and Security For Teammates

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

HIPAA and HITECH: Privacy and Security of Protected Health Information

Please Turn Off or Silence Cell Phones & Pagers

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

The Privacy & Security of Protected Health Information

Health Information Privacy Policies and Procedures

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

HIPAA PRIVACY TRAINING

Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Training for Non-Clinical Workforce

HIPAA Privacy Rule and Sharing Information Related to Mental Health

HIPAA Privacy & Security Training

Protecting PHI for Clinical Staff and Students

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Advanced HIPAA Communications and University Relations

CLINICIAN S GUIDE TO HIPAA PRIVACY

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

HIPAA Privacy & Security Training

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

2018 Employee HIPAA Orientation (EHO) Handbook

I. POLICY: DEFINITIONS:

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Protecting Patient Privacy It s Everyone s Responsibility

Your Role in Protecting Patient Privacy 2018

HIPAA Education Program

Methodist Le Bonheur Healthcare Corporate Compliance and HIPAA New Associate Training

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

HIPAA THE PRIVACY RULE

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA is the Health Insurance Portability and Accountability Act

Patient Privacy Requirements Beyond HIPAA

Compliance Program, Code of Conduct, and HIPAA

PRIVACY BREACH MANAGEMENT POLICY

A general review of HIPAA standards and privacy practices 2016

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

Section: Medical Staff Office Page: 1 of 2

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

HIPAA 201: Student Self-Learning Module & Test

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

INFORMED CONSENT DOCUMENT. Project Title: The Contraceptive Choice Center: an innovative health services delivery and payment model

HIPAA Privacy Rule. Best PHI Privacy Practices

What is Social Networking?

What is Social Networking?

Notice of Privacy Practices

Technology Standards of Practice

Emergency Medical Treatment and Active Labor Act (EMTALA) AUDIT GUIDE

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

Associated Pediatric Dentistry Belleville, Edwardsville, O Fallon, IL

HIPAA Privacy Regulations Governing Research

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

Chapter 9 Legal Aspects of Health Information Management

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Privacy health check: Diagnosing for law reform

DUTIES OF A CUSTODIAN

VHA Privacy Policy Training FY VHA Privacy Office

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

Emergency Medical Services Division Policies Procedures Protocols

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

Compliance with Personal Health Information Protection Act

Parental Consent For Minors to Receive Services

HIPAA HAZARDS & SOCIAL MEDIA SNAFUS NARHC MARCH 20, 2018 MARGARET SCAVOTTO, JD, CHC MPA ST. LOUIS, MO

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Policies & Procedures Table of Contents

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

OREGON HIPAA NOTICE FORM

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Compliance & Privacy For Teammates

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

Notice of Privacy Practices for Protected Health Information (PHI)

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

Reporting a Privacy Breach to the Commissioner

Access to Health Records Procedure

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

HIPAA Health Insurance Portability and Accountability Act of 1996

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

Notice of privacy practices

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Compliance & Privacy Post Test

Transcription:

Breach Reporting and Safeguarding PHI Outpatient Services August, 2012 UAMS HIPAA Office Anita Westbrook

Breaches and Breach Reporting Real Life Example An employee of a large hospital accidentally left a scheduling sheet containing the information of 192 patients on a subway train. The records were never recovered The hospital settled with the OCR for $1 million 2

What is a Breach? Any use or disclosure of PHI that is not permitted by the Privacy Rule that poses a significant risk of financial reputational or other harm. For example: A UAMS employee accesses the record of a patient outside the performance of their job duties. PHI is sent to the wrong fax, mailing address or printer. 3

Notification Requirements UAMS must notify every person in writing whose unsecured PHI has been breached as soon as feasible but within 60 days. UAMS must report breaches to HHS. If less than 500 individuals, log and report annually. If more than 500 individuals must notify HHS at the same time we notify the patient and we must also notify the media. If insufficient contact info for 10 or more patients, UAMS must post on our website. 4

How can you help? Notify the UAMS HIPAA Office as soon as you suspect a possible breach. The HIPAA Office will then determine if an actual breach has occurred and take care of the notification process. Help us keep patient contact information current. Follow your department s documentation requirements. Follow the new workflow for bad addresses. Take steps to prevent breaches from happening in your department!! 5

Verify the patient s identity Always follow procedures when registering patients: Obtain photo identification if at all possible If patient is a minor, document identity of both parents in our system when possible Have the person provide the information rather than just confirming the information. For example, ask them for the patient s address rather than saying Do you still live on XYZ Avenue? 6

Patient Identification National Patient Safety Goal # 1 Use at least two patient identifiers when providing care, treatment and services. UAMS Patient Identifiers 1. Name ask the patient for their full name 2. Date of birth ask the patient for their full DOB Ask for Patient Name and Date of Birth at EVERY Point of CARE, for example scheduling appointments, checking in patients, and collecting payments.

Confirm Account When working in our systems, always double check that you are in the correct patient s account. Examples include, when accepting payments, printing receipts, posting charges, scheduling tests

Printed PHI continued When retrieving information from the printer and sending information, check every page to make sure it is the correct patient. Also, make sure other patients information is not included on the page. Double check it is the correct patient s info before mailing or handing it to the patient. 9

Printed PHI When mailing information, make sure the name matches the name on the envelope. Don t leave PHI lying around where others can see it. Don t put PHI in the regular trash. Shred or place in the privacy bins. When PHI is in transit, place the documents in sealed sleeves, bags or envelopes clearly addressed to the recipient. Do not remove PHI from UAMS without managerial approval. 10

Communicate Quietly Make it a habit always lower your voice when discussing patient information. Try to discuss patients privately. Stop the conversation if someone walks up. 11

Leaving Messages on Answering Machines Limit the amount of information disclosed to the minimum necessary, such as the provider name and telephone number, or other information necessary to confirm an appointment, or to ask the individual to call back Do not leave messages that include test results, or other information that links a patient's name to a particular medical condition or the type of clinic or specialist When leaving a message with a family member or friend answering the patient s phone, the message should be limited to a request for the patient to return your call at UAMS, your name, # 12

Involved family/friends ask for info Ask the patient s permission or give them an opportunity to object or infer from circumstances that the patient does not object. If the patient is not available or family is calling by phone, follow your clinic s workflow to determine if the patient has identified the requestor as someone who can receive information about them. Many clinics use the Directives section of Centricity/Logician for this purpose. If yes, verify identity and provide info directly relevant to their involvement in the patient s care 13

Centricity Directives in Alerts Tab

Note: If the patient is not available or is incapacitated, or in an emergency situation, professional judgment may be used to make the disclosure if you determine it is in the patient s best interest and the patient has not otherwise restricted information to the requesting party. 15

Outpatient Requests for Records May provide the patient a copy of their most recent service in your clinic or diagnostic reports associated with the most recent service. Obtain written request from the patient or make a note in the medical record regarding the request and identifying the records provided to the patient. Do not copy or print from other dates of service or from a different clinic. Refer patient to HIM to process those requests or fax the request for the patient to HIM at 686 8361. If the patient is requesting that family or another designee view or have a copy of the patient s record, an Authorization form (Med Rec 99 FR) must be signed by the patient

Electronic PHI Minimize your computer screen if someone walks up Log off or lock your computer prior to stepping away from it All computers and laptops and thumb drives containing PHI must be encrypted 17

Passwords Always maintain and use passwords in a secure and confidential manner Never share your password or use someone else s sign on information If you are asked to sign on using someone else s information, refuse to do so and report them 18

Highlights UAMS E mail Policy 7.1.12 Remember that UAMS e mail resources are for official UAMS business only. Some guidelines you should follow when e mailing PHI and confidential information include: When possible, only e mail patient information within the UAMS Intranet as intranet communications are automatically encrypted. Limit the information provided to the minimum necessary.

Highlights UAMS E mail Policy 7.1.12 Guidelines (Cont d): Be careful how you say things in e mails and do not e mail extremely sensitive information. Do not use e mail as your only means to communicate information that needs immediate attention. Follow up with a phone call or page. Be cautious when forwarding any e mails that may contain PHI or confidential information. Use the encryption feature of the UAMS e mail system when sending e mail outside the UAMS domain.

Encrypting UAMS E mail Messages Type [secure] into the subject field of the message. This method will work for both Outlook and Web mail. For a detailed instruction guide, go to http://intranet.uams.edu/it/securemail

UAMS Faxing Policy 3.1.19 Confidential data should be faxed only when mail will not suffice. Faxes containing PHI and other confidential information must have an official UAMS fax cover sheet. Reconfirm recipient s fax number before transmittal. Confirm receipt of fax Notify your supervisor/hipaa Office immediately if a fax is sent in error. 22

Photography consent required Written patient consent is required for photos/video taken for the purpose of treatment, payment, and other health care operations such as teaching within UAMS. Written authorization is required for photos/video to be disclosed outside UAMS. Exception When a parent requests UAMS staff to make photographs solely for their personal use (such as a baby book), UAMS is not required to obtain written consent prior to taking the photograph. Employees may not take photos with personal digital devices.

Why would the HIPAA Office call me? Access to patient records is monitored If your name is on an audit report, and the appropriateness is not readily apparent to the auditors, you or your supervisor will be contacted This is routine follow up and is done for physicians, students and staff. 24

Why would the HIPAA Office call me? Access of patient records outside the performance of your job is prohibited This includes your own records and the records of: Family Friends and acquaintances Co workers Violations of UAMS HIPAA Policies are taken so seriously that your supervisor will be notified and must impose disciplinary action 25

Add slides here for Honey, how was your day? Picture of couple at dinner.

Social Networking Do not post photographs, video or any information about a UAMS patient through an electronic means such as social networking sites, blogs, pinging and tweeting. The only exception is a response to a UAMS patient that gives no further information about the patient.

Your HIPAA Team Vera Chenault, UAMS HIPAA Campus Coordinator (501 526 4817) Anita Westbrook, Medical Center Privacy Officer (501 526 6502) Jennifer Sharp, Research Privacy Officer (501 526 7559) Steve Cochran, Security Officer (501 603 1336) Bill Dobbins, HIPAA Auditor and Educator (501 526 7436) Yolanda Hill, HIPAA Auditor and Educator (501 614 2098) Tonya Mehran, HR and Training Coordinator (501 603 1379) http://www.hipaa.uams.edu

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback