Please Turn Off or Silence Cell Phones & Pagers

Similar documents
Information Privacy and Security

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

MCCP Online Orientation

HIPAA PRIVACY TRAINING

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

HIPAA Training

Advanced HIPAA Communications and University Relations

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Privacy and Security For Teammates

Health Information Privacy Policies and Procedures

HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Training for Non-Clinical Workforce

2018 Employee HIPAA Orientation (EHO) Handbook

HIPAA and HITECH: Privacy and Security of Protected Health Information

Compliance Program, Code of Conduct, and HIPAA

HIPAA Privacy Rule. Best PHI Privacy Practices

Chapter 9 Legal Aspects of Health Information Management

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

CLINICIAN S GUIDE TO HIPAA PRIVACY

HIPAA Policies and Procedures Manual

HIPAA Privacy & Security Training

The Privacy & Security of Protected Health Information

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Protecting Patient Privacy It s Everyone s Responsibility

FCSRMC 2017 HIPAA PRESENTATION

HIPAA Education Program

VHA Privacy Policy Training FY VHA Privacy Office

HIPAA Privacy & Security Training

East Carolina University 2010 Annual HIPAA Privacy Training

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

A general review of HIPAA standards and privacy practices 2016

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

Alignment. Alignment Healthcare

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Piedmont Healthcare, Inc. Code of Conduct

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

PRIVACY POLICIES AND PROCEDURES

Compliance Program And Code of Conduct. United Regional Health Care System

Notice of Privacy Practices

System Office New Hire Orientation

Compliance & Privacy For Teammates

EMPLOYEE HANDBOOK EMPLOYEE HANDBOOK. Code of Conduct

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

NEW BRIGHTON CARE CENTER

Code of Ethical Conduct The Right Thing to Do and How to Do it Right!

CODE OF CONDUCT (Regarding Legal and Ethical Conduct) PERFORMED BY: All Staff

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Compliance & Privacy For Teammates

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Health Insurance Portability and Accountability Act (HIPAA)

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

Corporate Compliance Program and Code of Conduct

Title: HIPAA PRIVACY ADMINISTRATIVE

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Ashland Hospital Corporation d/b/a King s Daughters Medical Center Corporate Compliance Handbook

CHI Mercy Health. Definitions

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

Compliance Program Updated August 2017

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Compliance Program Code of Conduct

General Compliance Training: Fourth Reporting Period

Yale University. HIPAA PRIVACY FAQs

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

Your Role in Protecting Patient Privacy 2018

I. PURPOSE DEFINITIONS. Page 1 of 5

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

THE MONTEFIORE ACO CODE OF CONDUCT

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

The HIPAA privacy rule and long-term care : a quick guide for researchers

STANDARDS OF CONDUCT A MESSAGE FROM THE CHANCELLOR INTRODUCTION COMPLIANCE WITH THE LAW RESEARCH AND SCIENTIFIC INTEGRITY CONFLICTS OF INTEREST

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

The Purpose of this Code of Conduct

Clinical Compliance Program

PRIVACY BREACH MANAGEMENT POLICY

HIPAA Privacy Policies & Procedures Table of Contents

Security Risk Analysis

NOTICE OF PRIVACY PRACTICES

St. Jude Children s Research Hospital. Code of Conduct

PATIENT INFORMATION. In Case of Emergency Notification

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

HIPAA 201: Student Self-Learning Module & Test

Parental Consent For Minors to Receive Services

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Code of Conduct. at Stamford Hospital

Transcription:

Please Turn Off or Silence Cell Phones & Pagers 1

Compliance at UAMS Presented by: Office of Hospital Compliance Office of Research Compliance Faculty Group Practice Compliance HIPAA Office 2

UAMS Compliance Organization Vice Chancellor for Institutional Compliance Bob Bishop, (501)-686-5699, Bishop@uams.edu Hospital Compliance Officer Jane Hohn, (501) 603-1001, HohnJaneK@uams.edu Research Compliance Officer Darri Scalzo, (501) 686-8062 Faculty Group Practice Compliance Officer Paula Archer (501) 614-2182, PDArcher@uams.edu UAMS HIPAA Coordinator Vera Chenault (501) 526-4817, VMChenault@uams.edu 3

What is Compliance? Each UAMS employee has maintained a high standard of legal and ethical behavior for many years, but now the federal government has added new rules that make companies prove their pledge to ethical behavior in all business dealings. The effort is called compliance. 4

UAMS Commitment Your compliance offices are here to help you work through issues that might come up Hotline reports may be anonymous UAMS has a non-retaliation policy for reporting of violations 5

UAMS Commitment UAMS Behavioral Standards Do what is right for the patient and their families and guests. Accept the responsibilities of your job and be accountable for outcomes. Investigate complaints and respond appropriately. Acknowledge mistakes, apologize and work to make it right. Be honest, sincere and fair in dealing with patients, families and each other. Respect patient and family confidentiality at all times. Report observed inappropriate behavior or problems using appropriate channels. Conserve resources as if they were your own. Respect the patient s time. Keep the patient informed when delays occur. 6

Doing the right thing What is right is right even if no one is doing it, what is wrong is wrong even if everyone is doing it. If you see someone else doing something wrong, report them. 7

Doing the right thing It s not the first mistake that gets you. It s the second, the coverup, that will. If you do something wrong, acknowledge it. 8

Institutional Compliance UAMS Policy 15.1.3 UAMS workforce members must obey all federal and state laws in regards to: Implementation and enforcement of procedures which detect and prevent fraud, waste and abuse in respect to payments to UAMS from federal and state health care programs Provide protections for those who report actual or suspected wrongdoing. 9

Institutional Compliance UAMS Reporting Policy 15.1.2 UAMS workforce members will be protected from discharge or retaliation for Good Faith Reporting the existence of: Any waste of public funds, property or manpower A violation or suspected violation of federal laws, state laws, or UAMS rules and regulations. 10

Compliance Reporting Line It is the policy of each compliance department to take ALL reports of wrongdoing, errors or violations of law seriously. You can report a concern about corporate, research, billing or HIPAA compliance to our toll free reporting line 1-888-511-3969. The person taking your call is not a UAMS employee and the call will not be recorded. Employees making reports to the line will be protected from retaliation or punishment as a result of making the report. 11

UAMS Office of Hospital Compliance 12

What Does Compliance Mean to UAMS? At UAMS, doing the right thing is nothing new. We are a department devoted to ensure that we monitor ourselves when it comes to the way we do business. Our corporate compliance program is used to reinforce our employees long-standing tradition of honesty and integrity. 13

What Does Compliance Mean for Me? It s up to us to do what is right every time we deal with anyone in our role at UAMS. It means we need to comply with all federal and state standards with an emphasis on preventing fraud and abuse. It means we have a responsibility to report any actions thought to be illegal or unethical. 14

Federal False Claims Act Incorporated into UAMS Institutional Compliance Policy 15.1.3 The Federal False Claims act imposes civil liability on any person or entity that: Knowingly files a false or fraudulent claim for payments to Medicare, Medicaid or other federally funded health care programs. Knowingly uses a false record or statement to obtain payment on a false or fraudulent claim. Conspires to defraud Medicare, Medicaid or other federally funded health care programs. 15

Examples of Illegal or Unethical Actions Billing a patient for a medical treatment, service or item that was not done. Inappropriately changing or destroying a medical research or financial record. Stealing money or items that don t belong to you. Getting pay for hours not worked. Asking for and/or getting anything of value from a vendor in return for influencing a decision on whether or not to purchase a vendor s product. 16

What Do I Do When a Questionable Situation Occurs? If you are unsure of the right response in a given situation, ask yourself a few simple questions: Is this action legal? Am I being fair and honest? Am I following UAMS policies and procedures? How would it look in the newspaper? What would I tell a friend to do? 17

What Do I Do When a Questionable Situation Occurs? If you are still in doubt, talk with or contact the following: Your supervisor Another supervisor or administrator Institutional compliance department UAMS legal counsel 18

UAMS Code of Conduct UAMS has a policy of maintaining high professional and ethical standards in the conduct of its missions. The highest importance is placed on our reputation for honesty, integrity and high ethical standards. The Code of Conduct is a reaffirmation of the importance of high ethical standards. Please take a moment to review the code of conduct and sign the attestation on the back page. 19

UAMS Office of Research Compliance 20

Human Subject Research At UAMS To Teach, To Heal, To Search, To Serve Research is a systematic investigation designed to develop or contribute to generalizable knowledge. Federal regulations, institutional policies and procedures, and accepted standards govern research 21

What does the UAMS Office of Research Compliance do? Manages the human subject research compliance program on behalf of UAMS administration Promotes the Institution s commitment to the protection of human subjects and responsible conduct of research through oversight and education 22

Activities Consult on compliance issues Educate research staff Advise the administration and the Institutional Review Board on compliance issues Audit/Review research activities 23

Why is Research Compliance Important? What can happen when things don t go right: Research participants could be injured Need to spend resources to fix problems Studies can be put on hold Might not be able to receive investigational drugs or devices Worst-case scenario all research halted until problem is resolved 24

What can ORC do for me? Answer questions about regulations, standards, audits/reviews, and just about anything else related to human subject research Education programs Self-assessment tools 25

UAMS Faculty Group Practice Compliance 26

Faculty Group Practice Compliance FGP Compliance is the compliance component for billing providers and their staffs. There are compliance requirements for workforce members who fall into those categories. 27

Investigation & Corrective Action: FGP Compliance Office When the FGP Compliance Officer determines that there is reasonable cause to believe that a compliance issue may exist, an inquiry into the matter will be undertaken, with assistance from the Counsel when appropriate. The results of the inquiry will be furnished to the Dean. UAMS employees shall cooperate fully with any inquiries undertaken pursuant to this section of the Plan. To the extent practical and appropriate, efforts should be made to maintain the confidentiality of such inquiries and of the information gathered. 28

Governmental Sanctions Deny or revoke Medicare provider number Suspension of payment directly to provider Penalties: Can be fined up to $10,000 per violation A corporate integrity agreement may be imposed. Exclusion from Medicare and any other federally funded healthcare program Criminal prosecution 29

FGP Compliance Reporting Departments or divisions shall advise the FGP Compliance Officer, prior to engaging any outside billing consultants and shall provide the FGP Compliance Officer a copy of any reports prepared by such consultants. Departments or divisions shall also immediately advise the FGP Compliance Officer if notified of a subpoena, carrier review audit, or inquiry by an outside agency on any issue relating to compliance. The FGP Compliance Officer can be contacted at 614-2182. 30

HIPAA: Health Insurance Portability & Accountability Act Presented by the UAMS HIPAA Office 31

HIPAA (not HIPPA) What is HIPAA? The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information. How does HIPAA affect me? UAMS requires all workforce members to sign the UAMS Confidentiality Agreement, and to work together to protect the confidentiality and security of patient, proprietary, and other confidential information. 32

New HIPAA Enforcement Requirements Changes to HIPAA as a result of the 2009 Stimulus Bill: Strict Liability fines up to $1,000,000 per occurrence Requirement that we notify DHHS of a breach including inappropriate access to a patient s record.

What is a Breach? Any use or disclosure of PHI that is not permitted by the Privacy Rule that poses a significant risk of financial reputational or other harm. For example: A UAMS employee accesses the record of a patient outside the performance of their job duties An unencrypted laptop containing PHI is lost or stolen PHI is sent to the wrong fax, mailing address or printer

Exceptions Exceptions there are certain types of uses of disclosures that do not meet the definition of a breach. These exceptions are : Unintentional use by a UAMS workforce member that does not result in the PHI being further used or disclosed. For example, a nurse accidentally clicks on the wrong patient s name in WebChart, pulls up that patient s record, realizes that she is in the wrong patient s chart, and closes the record. Unauthorized disclosure to an individual who cannot possibly retain it. For example, when checking a patient in, you accidentally hand the patient a registration packet that belongs to someone else, but you realize your mistake and immediately retrieve the information.

Notification Requirements UAMS must notify every person in writing whose unsecured PHI has been breached as soon as feasible but within 60 days. UAMS must report breaches to HHS. If less than 500 individuals, log and report annually. If more than 500 individuals must notify HHS at the same time we notify the patient and we must also notify the media.

How can you help? Notify the UAMS HIPAA Office as soon as you suspect a possible breach. The HIPAA Office will then determine if an actual breach has occurred and take care of the notification process. Help us keep patient contact information current. Follow your department s documentation requirements. Take steps to prevent breaches from happening in your department. When in doubt, just contact us.

Why It Matters We are committed to creating comfort, hope and healing for our patients and families Can we do that if we do not respect the privacy and security of their personal information? 38

What is Protected Health Information? PHI is any individually identifiable health information transmitted or maintained that relates to: past, present or future physical or mental condition health care provided or payment for care. 39

PHI Identifiers here s what we need to protect! Apply to patients, their families, household members and employers: Name Address (street address, city, county, zip code (more than 3 digits) or other geographic codes) Dates related to patient Age greater than 89 Telephone Number Fax Number E-mail addresses Social Security Number Medical Record Number Health Plan Beneficiary # Account Number Certificate/License Number Any vehicle or device serial number Web URL Internet Protocol (IP) Address Finger or voice prints Photographic images Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) 40

Health Information Health information should be protected from: people who aren t involved in the patient s direct treatment insurers using it to deny life or disability coverage employers using it in hiring/firing decisions Reporters nosy neighbors, family members, or co-workers 41

HIPAA The HIPAA regulations are not intended to prevent the use or disclosure of patient information for the purposes of treating the patient (anyone involved in the patient s care can access the patient s information) obtaining payment (people involved in billing insurance or collection of the patient s account may access the patient s information) healthcare operations (others involved in the operations at UAMS who need the information to do their job, such as compliance staff, may access the patient s information) These purposes are referred to as TPO (treatment, payment, operations) and do not require patient authorizations 42

43 Guard PHI!

Guard PHI! Be aware of PHI around you Papers laying around Computer screens Conversations involving patients Patient information on i.d. stickers, medication labels, forms 44

Guard PHI! When papers containing PHI are no longer needed, place them in a locked shred bin Be careful not to leave papers at copy or fax machines, printers, or conference rooms Do not take patient records off campus. 45

Guard PHI! Turn computer screens away from traffic or use privacy screens, and be aware of those around you when using PHI on computers Log off or lock your computer prior to stepping away from it 46

Guard PHI! Use private areas to discuss patient information when possible Keep your voice lowered when discussing patients, and be aware of those around you If you overhear a conversation about a patient, keep it to yourself. 47

Guard PHI! If you do not need patient information to do your job, do not seek it out. Accessing patient information outside the performance of your job is a violation of UAMS policy and the law and will result in disciplinary action Access to patient information will be monitored and audited. 48

Guard PHI! Accessing health records for your job does not mean accessing Your own record The records of your family members or friends The records of your co-workers 49

Think About It It is likely that there is something in everyone s medical record that they would not want the world to know Would you want your co-workers to know your weight? Would you want your neighbor to know that you take antidepressants? Would you want your mother to know that you have a history of alcohol use? It is never okay to access someone s health records outside the performance of your job. 50

Remember Confidentiality is a matter of respect, and is a vital component of creating comfort, hope and healing for our patients and their families. We are all patients ourselves from time to time. Think about how you would feel if your own health information was used or disclosed in a way that was harmful to you or your family. 51

UAMS Policies & The Law UAMS HIPAA policies can be found on http://hipaa.uams.edu The UAMS HIPAA office can point you to the applicable policy if a question arises 52

UAMS Confidentiality Policy 3.1.15 Confidential information at UAMS includes: Protected Health Information (PHI) Electronic Protected Health Information (ephi) UAMS research project information Confidential employee and student information UAMS proprietary information Sign-on and password codes 53

UAMS Confidentiality Policy 3.1.15 Unlawful or unauthorized access, use or disclosure of confidential information is prohibited. Never share or post your password Do not access information except to meet needs specific to your job. Signing the UAMS Confidentiality Agreement is a condition of employment at UAMS. 54

Notice of Privacy Practices 3.1.21 UAMS must give our patients a copy of our "Notice of Privacy Practices" which includes a description of their rights and how their health information may be used and disclosed. Except in emergencies, we must make a good faith effort to obtain written acknowledgement that our patients received the Notice. If unable to obtain acknowledgment, the attempt must be documented. Both English and Spanish versions may be found at: http://hipaa.uams.edu 55

Use and Disclosure 3.1.28 Use is the sharing of Protected Health Information (PHI) within the UAMS community, which includes UAMS offcampus facilities such as: all AHECS, KidsFirst, and ACH. Disclosure is releasing or providing access to PHI to anyone outside UAMS. Generally, you may use and disclose PHI for treatment, payment and healthcare operations (TPO) of our organization WITHOUT patient authorization. If the requestor is not known to you, VERIFY their identity and authority before providing PHI. 56

Disclosures required by law Limited PHI may be used or disclosed without patient authorization when required or permitted by law. Examples are: Communicable disease reporting Suspected abuse and neglect Reporting to the FDA Organ donation purposes To funeral directors 57

Authorization Except for TPO or when required or permitted by law, most other uses and disclosures require patient authorization. Examples are disclosures to attorneys and life insurance companies ROI HIPAA has several required elements for an authorization to be valid. Valid Authorization for Release of Information Forms may be obtained from our HIM department. 58

Minimum Necessary 3.1.25 When using or disclosing PHI or requesting it from another organization, we must make reasonable efforts to limit it to the smallest amount needed to accomplish the task. If the entire chart is not required, only ask for the information you need. Exceptions to the Minimum Necessary include disclosures to or requests by a healthcare provider for treatment purposes. Follow the simple need to know rule. 59

Patient Directory 3.1.20 The following information may be included in a Patient Directory: Patient Name Location in our facility General statement of condition (good, fair, etc.) Religious affiliation (available only to clergy) Unless the patient tells UAMS not to, the above information may be provided to people who ask for the patient by name. 60

61 Sharing information with Family and Friends Involved in the Patient s Care You may share information directly relevant to the person's involvement with the patient s care or for payment related to care under the following circumstances: If the patient is present or otherwise available prior to the disclosure, you must: Obtain the patient s agreement or Provide the patient an opportunity to object, and they do not or Using professional judgment, reasonably infer from the circumstances that patient does not object.

If the patient is not present If the patient is not present, or is incapacitated, or in an emergency situation: You may provide the information directly relevant to family/friend s involvement in the patient s care, if you determine it is in the patient s best interest. 62

Patient Rights HIPAA gives patients the right to: access, inspect and copy PHI request amendment of PHI receive accounting of disclosures request restrictions on disclosures request communications of PHI at alternative locations or means register complaints concerning their privacy rights. Our contact number for privacy complaints is 1-888-511-3969 (toll free) or 501-614-2187. 63

Patient s Right to PHI 3.1.28 With a few exceptions, patients can access, inspect and receive copies of their health information. Requests must be granted: within 30 days if PHI is on-site within 60 days if PHI is off-site 64

Exceptions include if a health care professional believes it could be harmful. If access to certain PHI is denied, then only the denied information may be withheld, and the rest of the information must be provided. 65

Amendments to PHI 3.1.32 Patients have a right to request an amendment if they believe their information is inaccurate or incomplete. Examples of when the request may be denied are: the PHI is already accurate and complete the PHI was not created by the provider, and the creator is available Our HIM Department will process amendment requests. 66

Accounting of Disclosures 3.1.26 A patient has the right to receive an accounting of PHI disclosures. Examples of disclosures that must be included are those required by law, such as communicable disease reporting, reporting to the Cancer Registry, and reporting to the FDA. Our HIM Department will process requests for An Accounting of Disclosures 67

Reasonable Safeguards UAMS must take reasonable steps to make sure PHI is kept private Permitted (with reasonable precautions): Calling out a patient s name in a waiting area Use of a sign-in sheet containing limited information. Talk about a patient s care at nursing stations Examples of reasonable precautions include speaking in a low voice and pulling curtains in semi-private rooms. See HIPAA Hints. 68

Accidental vs. Intentional Disclosures Accidental Disclosures Mistakes happen If you disclose private data in error to an unauthorized person or if you breach the security of private data Acknowledge the mistake, and notify your supervisor or the HIPAA Office immediately Learn from the error change procedures or practices, as needed Assist in correcting or recovering from the error ONLY if instructed to do so don t try to cover it up or make it right on your own. 69

Accidental vs. Intentional Disclosures Intentional disclosures If you ignore the rules and carelessly or deliberately use or disclose Protected Health Information inappropriately, you can expect UAMS disciplinary action, civil liability, and/or criminal charges All intentional violations, known or suspected, must be reported immediately So they can be investigated and managed So they can be prevented from happening again So damages can be kept to a minimum To minimize your personal risk 70

Accidental vs. Intentional Disclosures Examples of intentional violations include: Improper Use of Passwords can become Intentional Violations Sharing, posting or distributing personal password or account access information. Knowledge of unauthorized use by a co-worker of an account or password belonging to someone else. Attempting to learn or use another person s access information. Improper Use of Computers can become Intentional Security Violations Installing or downloading unauthorized computer programs that include or allow the entrance of viruses, worms or other malicious software. Failing to secure a workstation with access to or display of confidential information Posting PHI or other private data on the Internet without authorization Placing unencrypted PHI or personal information on removable media or devices, such as thumb drives, DVD s, and CD s. Other examples of intentional violations Accessing personal information outside of your job Illegally altering, destroying, or removing original paper or electronic PHI Accessing electronic PHI at home and leaving the information visible and/or accessible to family members, roommates, and friends. Selling health or personal information or inappropriately giving such information to the news media 71

UAMS Faxing Policy 3.1.19 Fax machines must be in a secure location. Confidential data should be faxed only when mail will not suffice. Faxes containing PHI and other confidential information must have an official UAMS fax cover sheet. Reconfirm recipient s fax number before transmittal. Confirm receipt of fax Notify your supervisor if a fax is sent to the wrong recipient. 72

HIPAA Security Rule 73 Electronic Protected Health Information (ephi) means individually identifiable health information that is: Transmitted by electronic media Maintained in electronic media Received by electronic media The storage of ephi is also covered under this rule.

HIPAA Security Rule The Security Rule covers all electronic media. Computer networks, desktop computers, laptop computers, personal digital assistants and handheld computers are all considered electronic media. Electronic media also includes magnetic tapes, disks, compact disks, and other means of storing electronic data (including the Internet and UAMS Intranet). 74

75 Facility Physical Access Controls 7.3.09 The Security Rule lists a wide range of activities for which UAMS must provide protection. For example, we must safeguard: Computer hardware and software Buildings that house computer hardware and software Storage and disposal of data and the back-up of data Who has access to data Visitor access to any facilities

HIPAA Security Rule - Standards The Security Rule is made up of three categories of standards Administrative Safeguards Physical Safeguards Technical Safeguards 76

Administrative Safeguards UAMS must have policies and procedures in place to make sure that all members of the workforce have appropriate access to electronic PHI in order to perform their jobs. UAMS must prevent inappropriate access. UAMS has selected a Security Officer. Steve Cochran can be reached at 501-603- 1336. 77

Password Management Policy 7.3.08 Keep passwords confidential. Avoid maintaining a paper record of passwords. Change passwords when there is an indication of possible compromise. Do not use the same passwords for business and personal accounts. 78 Change passwords at regular intervals (120 days) and limit reusing old passwords on domain log-on accounts.

Password Management Policy 7.3.08 Change temporary passwords at first logon. Do not include passwords in any automated log-on process, including web pages. Always maintain and use passwords in a secure and confidential manner. Password phrases or sentences are encouraged for domain log-on. 79

Password Management Policy 7.3.08 Passwords must: be based on something besides personal information so that it cannot be easily guessed or obtained have 8 characters and contain at least 3 of the following: Capital letter Lower case letter Number Symbol (including spaces) Examples: #G65c1a! joke51mn The sky is blue and orange! (as a domain log-on password phrase) 80

Security Log-In Monitoring 7.3.07 Never share passwords with others, not even IT or your supervisor. If you believe that someone else is inappropriately using your ID or password, immediately notify the Technical Support Center at 501-686- 8555 or the IT Security Office at 501-686-6207 or ACH TechSource at 501-364-5299. 81

Passwords Never use someone else s sign on information If you are asked to sign on using someone else s information, refuse to do so and report them 82

Information Access for Transfers & Terminations 3.1.41 Department supervisors are responsible for reviewing transferring employees computer access levels and notifying the department s IT administrator or the UAMS IT Security Office at 501-686- 6207. Upon separation from UAMS, all access is terminated. 83

Access Controls for Confidential Information 7.3.14 When leaving a computer unattended, lock the workstation using control/alt/delete, use a password protected screensaver, or log-off the computer. 84

Locking the computer Press CTRL, ALT, Delete keys on the keyboard. On the pop up window, click on the Lock Computer button. 85

Locking the computer 86 When you want to work on the computer again you will need to login with your domain password.

87 Information Access Management Policy 7.3.04 & Internet Policy 7.2.11 Access to confidential information and ephi is granted to authorized individuals on a need-to-know basis. UAMS computers should be used only for authorized purposes. Do not access information outside the performance of your job duties. Do not use computers to engage in any activity that is illegal under local, state, federal, or international law. Do not use workstations to engage in any activity that is in violation of UAMS policy. For example, do not access inappropriate or offensive websites, engage in gambling, send malicious emails, or download copyrighted materials. Never disclose or provide ephi to others except in accordance with UAMS policies and procedures.

Security Log-In Monitoring 7.3.07 UAMS monitors log-on attempts to the UAMS electronic information systems. If you suspect inappropriate log-on attempts you must report it to the IT Security Office at 686-6207 or the Technical Support Center at 686-8555 or ACH TechSource at 501-364-5299. All UAMS information systems must be accessed through your username and password. UAMS systems are monitored to show who accessed what information. 88

Malicious Software Policy 7.3.15 Installation and updating of anti-virus software is done on required information systems. Never bypass or disable anti-virus software. Email attachments are scanned for viruses prior to delivery, however, delete emails when they appear suspicious, or you do not know who sent the email. 89

Malicious Software Policy 7.3.15 If you detect or suspect malicious software or a virus notify the UAMS Technical Support Center 686-8555 or ACH TechSource 501-364-5299 immediately. Do not install personal software or download Internet software onto UAMS computers. Examples- Kazaa, Weatherbug, anti-virus software, and/or pop-up blockers onto UAMS computers. Downloading Internet software onto your computer may install spyware without your knowledge and cause your programs to run slower or not function properly. 90

Facility Physical Access Controls 7.3.09 Physical Safeguards are security measures to protect any UAMS electronic information system hardware and related buildings and equipment. For example, exterior doors should be locked appropriately at all times or have measures in place to screen visitors as they enter. 91

Physical Security PCs, mobile devices, such as PDA s, Blackberrys, laptops, digital cameras, CD s and diskettes, or any other devices containing confidential information or ephi must be secured and encrypted. It is a violation of UAMS policy to store PHI on unencrypted mobile devices and doing so will result in discliplinary action. All computers, remote and on-site, that contain ephi must be protected with a secure log-on. Anti-virus software approved by the UAMS Information Security office must be installed on all computers that ever connect to the UAMS network. ephi must be destroyed before hardware or media is disposed of or made available for re-use. Contact the UAMS IT Office for information. 92

93 Working from Home 3.1.40 If UAMS allows you to perform some or all of your work in your home, you are responsible for maintaining the privacy and security of all confidential materials. This includes, but is not limited to: Patient Charts Computers Confidential Working Papers All UAMS confidential materials should be kept in a location that is not accessible to children, spouses, or other family members. UAMS materials should be put away when not being used.

Safeguarding PHI 3.1.38 - Using and Transporting PHI Confidential information, including PHI, is not to be removed from UAMS without prior approval. You are responsible for maintaining the privacy and security of all confidential information that you may be transporting, storing or accessing off-site. 94

Technical Safeguards Technical Safeguards include the use of computer technology solutions to protect electronic PHI and track activity in information systems. When PHI is sent from one point to another electronically; it must be secured to avoid theft, damage, or destruction of the information. 95

Access Controls for Confidential Information 7.3.14 - ephi Transmissions All transmissions of ephi and confidential information from UAMS to an outside network must utilize an encryption mechanism between the sending and receiving entities. Encryption makes the information unreadable by anyone who doesn t have the key. 96

97 Security Reminders Policy UAMS provides all users with information, reminders, and updates on topics including: UAMS information security policies Significant UAMS information security controls and processes Significant risks to UAMS information systems and data Security best practices (e.g. how to choose a good password, how to report a security incident) Reminders are often sent via email; be alert to reminders and follow directions accordingly

Highlights - UAMS E-mail Policy 7.1.12 Remember that UAMS e-mail resources are for official UAMS business only. Some guidelines you should follow when e-mailing PHI and confidential information include: When possible, only e-mail patient information within the UAMS Intranet as intranet communications are automatically encrypted. Limit the information provided to the minimum necessary. 98

Highlights - UAMS E-mail Policy 7.1.12 Guidelines (Cont d): Be careful how you say things in e-mails and do not e-mail extremely sensitive information. Do not use e-mail as your only means to communicate information that needs immediate attention. Follow-up with a phone call or page. Be cautious when forwarding any e-mails that may contain PHI or confidential information. Use the encryption feature of the UAMS e-mail system when sending e-mail outside the UAMS domain. 99

Encrypting UAMS E-mail Messages typing [secure] into the subject field of the message. This method will work for both Outlook and Web mail. 100

Domain login & Email When can I expect to get my domain login account and email? 3 to 5 days after you turn in the Confidentiality Agreement at orientation. Both should be ready at same time. Domain name is lastnamefirstnamemiddleinitial Initial password is P=your social security number. & must be changed at first login. It must be changed from a pc on the campus network and not through the Internet. What will my email address be? 1 st Initial 2 nd Initial Last name. absmith@uams.edu 1 st Initial Last name. pduncan@uams.edu 102

Other System Access Access to additional UAMS information systems is granted at the request of your supervisor after you complete any required training for that software. Examples may include our patient records systems, such as EPF, Sunrise, Centricity, and appointment and billing systems such as HBOC and SMS. Access to these systems will only be granted upon review and approval as needed for your job. 103

Having computer Problems? Here s How To Help The Technical Support Center Work For You! UAMS Technical Support Center Information to Know Before You Call? Last Name, First name Domain login name Campus location w/room # Contact Phone # or Pager Problem description Application &/or Operating system name Ex: Word2003, echart, Windows 2000 or XP UAMS property Tag# & computer name UAMS Tech Support - 501-686-8555 techsupport@uams.edu ACH Tech Source - 501-364-5299 104

Penalties for HIPAA Violations- Disciplinary Notice Policy 4.4.02 & U.S. Government Sanctions Employee Sanctions: Violations by UAMS Workforce will result in disciplinary action, up to and including termination from employment with UAMS. Severe Civil/Criminal penalties: In addition, you can be subject to civil and criminal penalties imposed by the federal government up to $1,000,000 and 10 years in prison. 105

Reporting Policy 3.1.23 All known or suspected violations of the privacy and security regulations must be reported. There will be no retaliation for good faith reporting. Reports can be made to: Reporting line at 1-888-511-3969 HIPAA Office 501-614-2187 Anyone in a position of responsibility- the person receiving the report should then contact the HIPAA Office. 106

Conclusion Confidentiality is a team sport, when we protect PHI, everyone wins! 107

Your HIPAA Team Luckily you are not alone with HIPAA! If you have a question, concern, or problem, contact your privacy officer, the HIPAA Office, or the HIPAA hotline 108

Your HIPAA Team Vera Chenault, UAMS HIPAA Campus Coordinator (501-526-4817) Anita Westbrook, Medical Center Privacy Officer (501-526-6502) Jennifer Sharp, Research Privacy Officer (501-686- 8062) Tracy Petty, PRI Compliance Officer (501-526-8177) Scott Addison, AHEC Compliance Officer (501-526- 0350) Steve Cochran, Security Officer (501-603-1336) Bill Dobbins, Informatics Manager & Auditor (501-526- 7436) Jacque Osburn, HIPAA Compliance Manager (501-614-2098) Ashley Vestal, HR and Training Coordinator (501-603-1379) 109

Your HIPAA Team And don t forget 110

Be a HIPAA star! 1. Examples of Individually Identifiable Health Information that could be used to identify an individual include: A. Name, License number, photograph B. Birth date, address, account number C. County, finger print, phone number D. All of the above 111

Be a HIPAA star! 2. Which of the following can happen if research projects are not following compliance requirements: A. Research participants can be injured B. UAMS may not receive investigational drugs or devices to study C. All research can be halted D. All of the above 112

Be a HIPAA star! 3. The term Protected Health Information (PHI) includes: A. Oral information about a patient B. Written information about a patient C. Individually identifiable information about a patient D. All of the above 113

Be a HIPAA star! 4. I can share information about a patient if I know them personally. A. True B. False 114

Be a HIPAA star! 5. The term HIPAA means: A. Health Is Patient Access and Accountability B. Health Insurance Portability and Accountability Act C. Neither A or B 115

Be a HIPAA star! 6. Patients have the right to obtain a copy of their own records A. True B. False 116

117 Be a HIPAA star! 7. An example of safeguarding patients PHI is: A. Sharing passwords with coworkers B. Avoiding discussing patient s information when others may hear you. C. Leaving computer screens unlocked at all times

Be a HIPAA star! 8. Logging onto the Network and allowing someone else to use the computer is against UAMS Policy. A. True B. False 118

Be a HIPAA star! 9. Which is the best way to protect sensitive data in your computer when you go out for lunch or home for the evening? A. Turn your monitor off B. Activate the screen saver C. Lock your computer D. Close all programs 119

Be a HIPAA star! 10. Identify examples of computer safety: A. Create alpha numeric passwords B. Locking computer screens while away C. Log off computer at the end of workday D. All of the above 120

Be a HIPAA star! 11. It is the responsibility of UAMS employees to report concerns about illegal or unethical behavior A. True B. False 121

Be a HIPAA star! 12. Employees who report compliance issues in good faith shall not be subject to harassment or retaliation. A. True B. False 122

Be a HIPAA star! 13. Which of the following is an example of a strong password? A. Steve B. My dog s name C. #G6cZ D. My last name spelled backwards E. *j0ke5lmn 123

Be a HIPAA star! 14. Breaches or suspected breaches of PHI must be reported to the HIPAA Office within what time frame? A. Immediately B. When my supervisor returns from vacation C. Within 24 hours 124

Be a HIPAA star! 15. Other than yourself, who else should know your password? A. Only your supervisor, major professor, or system administrator B. Coworker C. No one 125

Be a HIPAA star! 16. When a computer virus is detected, infected, or suspected it must be reported to the Information Security Office within what time frame? A. Immediately B. Never C. Within 24 hours 126

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback