A general review of HIPAA standards and privacy practices 2016

Similar documents
WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

HIPAA THE PRIVACY RULE

Patient Privacy Requirements Beyond HIPAA

FCSRMC 2017 HIPAA PRESENTATION

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

Privacy & Security of Occupational, Behavioral & Deceased Patient Records Alisha R. Smith, RHIA

MCCP Online Orientation

Health Information Privacy Policies and Procedures

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA PRIVACY TRAINING

HIPAA-HITECH HELPBOOK NJ Physician Practices

NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

CHI Mercy Health. Definitions

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

HIPAA Notice of Privacy Practices

VHA Privacy Policy Training FY VHA Privacy Office

HIPAA Privacy Rule. Best PHI Privacy Practices

HIPAA and HITECH: Privacy and Security of Protected Health Information

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

Advanced HIPAA Communications and University Relations

NOTICE OF PRIVACY PRACTICES

The Privacy & Security of Protected Health Information

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

HIPAA Health Insurance Portability and Accountability Act of 1996

Form B - For those enrolled in other insurance

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

HIPAA Education Program

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

CLINICIAN S GUIDE TO HIPAA PRIVACY

SUMMARY OF NOTICE OF PRIVACY PRACTICES

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Information Privacy and Security

HIPAA Training

2018 Employee HIPAA Orientation (EHO) Handbook

Notice of Privacy Practices

Chapter 9 Legal Aspects of Health Information Management

Re-Vita -Life. Sub-dermal Bio-identical Pellets

Privacy and Security For Teammates

HIPAA Privacy Policies & Procedures Table of Contents

Patient Registration Form Pediatrics

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

NOTICE OF PRIVACY PRACTICES

HIPAA Policies and Procedures Manual

Orthopedic Specialty Clinic, Ltd. Updated 05/2014

PATIENT INFORMATION Please Print

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

physicians, nurses, and technicians and other Facility personnel for review and learning purposes. We may also combine the medical information we

NOTICE OF PRIVACY PRACTICES

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

CAPITAL SURGEONS GROUP, PLLC

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

OAK HAMMOCK AT THE UNIVERSITY OF FLORIDA, INC. NOTICE OF PRIVACY PRACTICES. Privacy Office: (352) Effective Date: September 23, 2013

NOTICE OF PRIVACY PRACTICES

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Notice of Privacy Practices

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

NOTICE OF PRIVACY PRACTICES

Notice of HIPAA Privacy Practices Updates

Notice of privacy practices

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

PROTECTING PATIENT PRIVACY IS NOT ONLY

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY NOTICE

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

PRIVACY AND HIPAA FOCUSED TRAINING

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

NOTICE OF PRIVACY PRACTICES

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Compliance Program, Code of Conduct, and HIPAA

NOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

NOTICE OF PRIVACY PRACTICES

Compliance & Privacy For Teammates

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

JOINT NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Mental Health. Notice of Privacy Practices

Parental Consent For Minors to Receive Services

NOTICE OF PRIVACY PRACTICES

- Cardiac Catherization - Cardiac Angioplasty - Cardiac Bypass - MUGA - CT Scan

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

MAIN STREET RADIOLOGY

Transcription:

A general review of HIPAA standards and privacy practices 2016

45 CFR, 164 Health Insurance Portability and Accountability Act Treatment, Payment and Healthcare Operations 42 CFR, Part 2, Confidentiality of Alcohol and Drug Abuse Patient Records 41 CFR, Parts 412, 413, 422, and 105 HITECH Workplace Reminders

Health Insurance Portability and Accountability Act of 1996 (HIPAA): effective April 2003. Created standards for privacy & security of personal health data. Established standardized patient rights. Established minimum necessary standard for disclosure of protected health information (PHI). Mandates annual privacy training for all healthcare employees & a designated Privacy Officer (PO).

Definition of healthcare entity: Entity: healthcare provider, healthcare payer, or healthcare clearinghouse that processes healthcare claims electronically. If not a healthcare entity, then a business associate agreement (BAA) should be in place - with specific HIPAA language.

Major purpose of the Privacy Rule is to define and limit the circumstances in which an individual s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information as the individual who is the subject of the information (or the individual s personal representative) authorizes in writing.

Allows for disclosure of PHI without written consent when used for treatment, payment and health care operations between covered entities: Provider (entity) to another provider (entity): referred care Provider to insurance company Provider to another provider of other related services: Transportation services: specialized van/bus Durable medical equipment: home deliveries of medical equipment and/or supplies; discharge planning

Treatment: the provision, coordination, or management of health care and related services for an individual by one or more health care providers PHI may be disclosed to other providers involved in patient care including diagnostic, rehabilitative, maintenance, or palliative care Diagnostic services Therapies (OT, PT, chemo) Hospice, home healthcare agencies

Payment: PHI can be disclosed to third party payers Medicare, Medicaid, private insurance companies, worker s compensation for reimbursement, pre-authorization, and utilization review activities: Was medical necessity documented? Were clinical measures met? Billing audits

Healthcare operations: Administrative, financial and legal activities of organization: Training & education: internal & external Signed collaborative agreements with higher education institutions; internal privacy training with PO Statistical reporting for funding IHS, grants Generally de-identified but some information may be patient specific Public health activities: immunizations only may be disclosed to schools Mandated reporting: Child abuse and neglect Communicable diseases Other required reporting for medico-legal reasons

Certain law enforcement activities allowed under 45 CFR 164.512 (f)(1)(ii)(a,b,c) Death as result of a (suspected) crime Victim of crime: gunshots and stabbings Warrants, subpoenas, and court orders Must be signed by a judge, not clerk or attorney Official letterhead and compliant with HIPAA Valid requests for PHI/records to HIM; other administrative requests to Administration Tribal attorneys notified

Given to all patients effective April 13, 2003 Details patient rights and how entity may disclose PHI Details HIPAA privacy rule; includes two examples each of treatment, payment and health care operations Updated notice September 2013 for HITECH changes; found on website & posted at each health center lobby. In addition, SNHS Privacy Policy on Policy Tech

Patient rights: To access information To obtain copy of information To request an amendment to his/her information if patient believes it contains an error To request a restriction for disclosure: HITECHpatient pays for claim in full and can restrict disclosure to third party payer To file a privacy complaint Requests should be in writing and signed by the patient.

Not all requests have to be approved Process for amendments can take up to 90 days: Can only be approved by author of note Must be valid request; facts cannot be altered because patient didn t like what was documented. Restriction for disclosure does not have to be approved if interferes with treatment, payment and health care operations. HITECH: restriction to third party payer only one that has to be honored.

Certain information is considered sensitive Requires specific authorization before disclosure of sensitive PHI Authorization for disclosure form (ROI) needs to be checked and signed: Drug and alcohol abuse treatment records HIV and AIDS includes testing Mental health and psychotherapy notes Sickle cell anemia Includes STDs as part of SNHS practice

Behavioral Health Unit follows HIPAA regulations, but more stringent guidelines under 42 CFR, Part 2, take precedence. Patient/client must specifically indicate & sign for disclosure of sensitive information. BHU employees should refer to 42 CFR, Part 2 and departmental policies for specific information regarding disclosure.

Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any drug abuse prevention function be confidential and be disclosed only the purposes authorized under subsection (b) of this section.

Whether or not the patient gives his written consent, the content may be disclosed as follows: To medical personnel to meet a bona fide medical emergency. To qualified personnel for the purpose of conducting scientific research. If authorized by an appropriate order of a court of competent jurisdiction.

Specific form to use if not for TPO Patient or personal representative must have legal authority to sign. Over 18 years of age unless emancipated minor Power of attorney specifically states healthcare Legal guardian appointed by court of competent jurisdiction Either natural parent may sign unless legally unable to do so Minor may sign for own child

HIPAA clear on releasing only the minimum necessary protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or to carry out a function. Key element of the HIPAA Privacy Rule. Entities must enhance efforts to limit unnecessary or inappropriate access.

A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment and healthcare operations, based on those who need access to the information to do their jobs. Who? Why? What type of access? Access based on need-to-know for work related duties.

Employees should not look up own or family members information unless a normal function of duties. If information is needed, follow proper procedure: ROI, appointments or scheduling, referrals, test results, etc. Don t look because you have an inquiring mind!

HIPAA doesn t require soundproofing or extensive remodeling, but Healthcare entities should make reasonable efforts to minimize incidental disclosure. Change passwords, limited EMR access based on job duties, annual privacy training. Practice auditory privacy. EMR: different levels of access, including the Practice Management (PM) for billing and financial report, or Electronic Medical Record (EMR) for patient records.

41 CFR, Parts 412, 413, 422 and 105, Health Information Technology for Economic and Clinical Health 45 CFR, Part 170, effective February 2009 for entities using an EMR system Established security standards for entities. Established meaningful use in Stages 1 3 Established stringent breach assessment guidelines. Provides incentives if standards are met, however this expires after 2016

Established: national standards to protect individuals electronic personal health information that is created, received, used or maintained by a covered entity. Requires: appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Mandates entities have an Information Security Officer (ISO) responsible for security.

Personally identifiable information PII obtained during course of daily business must also be protected. Examples of PII: Name Address SSN** Date of birth Account numbers Phone number E-mail address Medical Record number Photo Any license or ID number Potential for identity theft, healthcare fraud & prescription abuse.**ssn most often cited.

Right to alternative means of communication: phone, e-mail, letter, different mailing address When leaving messages, don t be too specific. Less is better. Do not give out test results or details of treatment or referral plan when leaving auditory messages. Brief message This is Jane at the health center calling for John. Please call back at this number and extension.

Social media is not a secure method of communication. Do not post PHI/PII or other official communications on social media. SNHS not set up to text PHI - for employees, do not use personal cell phones to contact patients. Not secure & phone numbers of patients are protected (PII). Photos should not be taken of patients without proper consent. Never post patient photos to social media!

PHI can be e-mailed to an outside e-mail address if it is the patient s preference. Advise patient that the message may not be secure or at risk for incidental disclosure (hacking). Message should be encrypted. See attached for how to encrypt at SNHS. Process will be changing in the coming months. Do not place patient s name, SSN, or DOB in the subject line.

After new message has been created and before being sent, click on Options on message header.

Expand options by clicking on small arrow in bottom right corner to open up the Properties Change Sensitivity level to confidential before sending message

Required as part of HITECH Stage 2 of meaningful use for entities using an EMR system. Alternative means of communication Patients need to sign up at Registration Electronic access for only certain PHI in the EMR. New portal application will be purchased in the future.

Lock out monitor (control-alt-delete) when leaving computer unattended. Limit access to your office or work station to avoid an incidental disclosure. Practice auditory privacy don t discuss patient care if others can overhear.

Limit printing, and when done, shred or dispose of document properly. No strip shredders for PHI or PII Use common sense - place documents face down on desk. Never give out or share your password. Level of access Audit trail

Penalties civil and criminal can be issued. US Office of Civil Rights (OCR) investigates privacy complaints for non-compliance. Employee and/or entity can be held responsible for non-compliance. Fines and/or incarceration can be levied. US Department of Justice responsible for prosecution.

HHS/OCR Investigated Resolutions - April 14, 2003 - March 31, 2013 No Violations 9146 (34%) Investigation and Enforcement 19306 (66%)

Impermissible Uses and Disclosure Not permitted under TPO or unauthorized disclosure Lack of Safeguards of PHI Administrative, Technical and Physical Lack of Patient Access to PHI Restricted disclosures to patient Uses and Disclosures more than Minimally Necessary Lack PHI Administrative Safeguards Access policies, need-to-know

Privacy complaints against the organization or an employee can be made by patient, employee or general public. SNHS complaint/grievance process will be used. Contact Privacy Officer for guidance. PO does not take action against employee; Supervisor & HR responsible for following disciplinary process if complaint is found to be valid. Disciplinary action, including termination, may result in breach or unauthorized disclosure. SNI HR policy also requires confidentiality.

Pharmacy records were disposed in unsecured containers. They were not shredded and contained personally identifiable information (PII) regarding specific patients. Organization failed to implement written policies and procedures as required by HIPAA. Organization fined $125,000 and correction action included implementing policies and develop & provide training for staff.

A nurse and an orderly at a hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. (Non-compliant with auditory privacy) Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter.

Among other actions taken, the hospital took further disciplinary action with the nurse, which included: one year probation; referral for peer review; and further training on HIPAA Privacy. In addition to corrective action taken under the Privacy Rule, the organization entered into a monetary settlement agreement with the patient.

A hospital employee's supervisor accessed, examined, and disclosed PHI from an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not.

Corrective actions to resolve the specific issues in the case: a letter of reprimand was placed in the supervisor's personnel file; the supervisor received additional training about the Privacy Rule. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate.

45 CFR, Parts 160 and 164 42 CFR, Part 2 41 CFR, Parts 105, 412, 413, 422 Centers for Medicare and Medicaid Services US Office of Civil Rights Indian Health Service SNI HR Policy

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback