HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Similar documents
WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

HIPAA PRIVACY TRAINING

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Compliance Program, Code of Conduct, and HIPAA

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Information Privacy and Security

HIPAA THE PRIVACY RULE

HIPAA Training

PRIVACY POLICIES AND PROCEDURES

HIPAA Education Program

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Health Information Privacy Policies and Procedures

MCCP Online Orientation

VHA Privacy Policy Training FY VHA Privacy Office

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Advanced HIPAA Communications and University Relations

HIPAA Privacy Training for Non-Clinical Workforce

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

CHI Mercy Health. Definitions

CLINICIAN S GUIDE TO HIPAA PRIVACY

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Chapter 9 Legal Aspects of Health Information Management

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

HIPAA and HITECH: Privacy and Security of Protected Health Information

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department: All HealthPoint Policy/Procedure #:

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

PROCEDURE-STUDENT RECORDS

East Carolina University 2010 Annual HIPAA Privacy Training

Emergency Medical Services Division Policies Procedures Protocols

The HIPAA privacy rule and long-term care : a quick guide for researchers

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

HIPAA Policies and Procedures Manual

Parental Consent For Minors to Receive Services

Information Sharing and HIPAA Compliance

Notice of Privacy Practices

Section: Medical Staff Office Page: 1 of 2

Privacy and Security For Teammates

Notice of Privacy Practices

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

A general review of HIPAA standards and privacy practices 2016

always legally required to follow the privacy practices described in this Notice.

The Privacy & Security of Protected Health Information

2018 Employee HIPAA Orientation (EHO) Handbook

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

Protecting Patient Privacy It s Everyone s Responsibility

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

INFORMED CONSENT DOCUMENT. Project Title: The Contraceptive Choice Center: an innovative health services delivery and payment model

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Notice of Privacy Practices

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

The Queen s Medical Center HIPAA Training Packet for Researchers

Mobile Mammo Registration Instructions

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

1 LAWS of MINNESOTA 2014 Ch 250, s 3. CHAPTER 250--H.F.No BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

PATIENT INFORMATION. In Case of Emergency Notification

VOLUNTEER APPLICATION

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

HIPAA Privacy Rule. Best PHI Privacy Practices

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Title: HIPAA PRIVACY ADMINISTRATIVE

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

PRIVACY IMPACT ASSESSMENT (PIA) For the

DATA PROTECTION POLICY

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

SCARF. Serving Children and Reaching Families, LLC. Client Handbook

PCA CHOICE TRATIIONAL PCA

FCSRMC 2017 HIPAA PRESENTATION

Compliance and Privacy/Security Training Academic Year

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

HIPAA Privacy Rule and Sharing Information Related to Mental Health

IVAN FRANKO HOME Пансіон Ім. Івана Франка

PRIVACY IMPACT ASSESSMENT (PIA) For the

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Policy Number: Disclosure of Personal. Health Information to Police Approval Signature: Original signed by A. Wilgosh.

14. PCA PROVIDER WRITTEN AGREEMENT (PCA CHOICE OR TRADITIONAL PCA)

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

HIPAA Notice of Privacy Practices

HIPAA PRIVACY NOTICE

Transcription:

DIRECTIONS HIPAA Privacy/Security Personal Privacy 1. Read through entire online training presentation 2. Close the presentation and click on Online Trainings on the Intranet home page 3. Click on the HIPAA & Privacy On-line Test 4. Complete the test and submit. 5. Double check that you entered your email address correctly. 2 What is HIPAA? HIPAA PRIVACY HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy Rule, which creates national standards to protect the privacy of individuals protected health information (PHI), and the Security Rule, which establishes standards for securing PHI in electronic form. 3 4 1

Catholic Charities and HIPAA Catholic Charities has a Privacy and Security officer for direction and guidance on policy and practice Michele Adams (Privacy Officer) 440-843-5578 Glenda Buzzelli (Security Officer) 216-334-2916 Catholic Charities is required to provide annual HIPAA training to all staff 5 PHI includes all individually identifiable health information relating to the: Past, present or future physical or mental condition of an individual Provision of health care to an individual Past, present or future payment for the provision of health care to an individual What is PHI? Health information is individually identifiable if it contains any of the following: Names Geographic subdivisions smaller than a state Dates directly related to an individual, including birth date, health care service admission or discharge dates Telephone numbers Email addresses Social security numbers Medical record numbers Health plan beneficiary numbers Certificate/Driver s license numbers Full face photographic images and any comparable images Any other unique identifying number, characteristic or code 6 Who is subject to the HIPAA Privacy and Security Rules? Entities covered by HIPAA are: Health care providers Health plans Health care clearing house (e.g., billing agent) Catholic Charities is a covered entity as health care providers. Health information collected and/or used by our staff are PHI and subject to the Privacy and Security Rules 7 What are the limitations on how we can use PHI internally or disclose PHI externally? The Privacy Rule establishes permitted uses and disclosures of PHI by covered entities such as Catholic Charities. When PHI is shared within Catholic Charities it is being used and when PHI is shared outside of Catholic Charities it is being disclosed You could be using or disclosing information: Verbally Via email File or paper Computer Fax Flash drive 8 2

The Privacy Rule allows the use or disclosure of PHI: For treatment For payment For health care operations With authorization by the individual When compelled by law How do I know if I can share PHI? You can determine whether you can use or share PHI by answering the following questions: Is the disclosure for treatment, payment or health care operations purposes? If not, do you have authorization from the client or legal guardian? If not, is there a legal requirement for disclosure? If the answer is yes to any of the above you may share PHI both within and outside Catholic Charities 9 10 Even if use or disclosure of PHI is permitted we must ensure that we are using or disclosing the minimum necessary information permitted under the Privacy Rule The following questions help to determine if it is minimum necessary disclosure: What is the specific purpose for the request, use of disclosure? Exactly what information is required to accomplish the goal? Are you requesting/using/disclosing any information that is not relevant to the stated purpose of the request/use/disclosure? Are you requesting/using/disclosing an entire record without the entire record specifically identified? 11 Take care to protect PHI from accidental disclosure: Never release any item of personal information to anyone (except that individual or their legal representative) without the individual s knowledge and written approval Double check fax number to be sure it is correct and be sure the intended recipient is available to pick up the fax when delivered Don t send PHI by email Keep all files containing PHI locked in file cabinets don t leave papers or files laying out Don t share client names and other identifiers in conversations that others may overhear Place computer screens so they are not readily visible by people passing by Password protect all computer files containing PHI and don t share passwords 12 3

Clients have the following rights in regards to their information Able to see their records Able to make copies of their record Able to correct any inaccuracies in their record Able to request restrictions on confidential information Able to know when, how, why, with whom and by whom their information was used or shared De-Identifying Information PHI cannot be disclosed without consent unless de-identified A group counseling progress note was cited in the last audit due to problems with the documentation. The supervisor made copies of the progress note to pass out at a staff meeting so that the staff could see a noncompliant note that resulted in a payback. The progress note should not have been used/disclosed unless it had been de-identified. What is de-identified information? Information that could not otherwise be used or disclosed without consent can be used if it has been de-identified. To de-identify all elements must be removed that make it possible to identify the individual to who it pertains. Remove names (client/family member), dates related to individual, telephone, email, zip code, social security, etc. 13 14 Definitions Confidential Information any item of personal information that can be associated with an individual and is not readily available to the public Consent for Release of Information form use to obtain information from other individuals or organizations Information Transmittal form used to obtain prior to disclosure the approval/signature of clinical supervisor when valid authorization request has been received Minimum Necessary Disclosure limits the information to the minimum amount necessary to accomplish the intended purpose of the use or disclosure Notice of Privacy Practice program participants receive at the beginning services to ensure they are aware and informed of Catholic Charities privacy practices. Protected Health Information (PHI) individually identifiable information relating to the past, present or future physical or mental or condition of an individual, provision of health care to an individual, payment for health care provided to an individual. PHI includes information in any format paper (written), electronic, oral, photographs, videotapes, and other types of images,. Privacy Officer consulted whenever a situation presents itself that could involve the disclosure of information with the individual s knowledge or approval Security Officer consulted for loss or destruction of electronic protected health information, unauthorized access computer systems, and questions regarding systems security and staff security access to electronic protected health information. 15 Policies and Procedures Number Policies and Procedures HIPAA 001.00 HIPAA Privacy Policy HIPAA 002.00 HIPAA Security Policy 001.0 012.00 Information Services Policies 16 4

HIPAA Security HIPAA SECURITY A second component of the Health Insurance Portability and Accountability Act of 1996 Established a national set of security standards for protecting certain health information that is held or transferred in electronic form The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations must put in place 17 18 HIPAA Security The Basics The Security Rule applies to electronic protected health information (EPHI) that contains information that would allow someone to identify an individual. Protects confidentiality, integrity and availability of EPHI Example: An intake form with client name and address A billing transmission with social security number and a diagnosis HIPAA Security The Basics Catholic Charities must have reasonable safeguards in place to protect Electronic Protected Health Information against risks. These safeguards are in three categories: Administrative Physical Technical 19 20 5

Administrative Safeguards Some examples of administrative safeguards are as follows: Having a named HIPAA Security Officer Having a plan for security incidents and a disaster recovery plan for IT Training staff on security practices Having policies to describe and enforce safe practices in protecting information Physical Safeguards Below are some examples of physical safeguards in use by Catholic Charities: Locks on server doors and records rooms Locking computers with passwords No use of personal computers for work No writing passwords on sticky notes and leaving on monitors! 21 22 Technical Safeguards Here are some examples of technical safeguards related to HIPAA Security: Limiting users on the network to only access what they need to access Ensuring that activity on the network is logged and reviewed to monitor network activity Locking network ports to use by a single machine Using secure transfer methods for transmitting client data Other Safeguards It is important for staff to understand where EPHI is stored and how it is accessed. An inventory should be developed to catalog where this information is stored and how it is accessed to assess for vulnerabilities. Reduce the number of locations where PHI is stored; move to single data sources to improve control 23 24 6

Other Safeguards It is a good practice to walk through your site to see where information may be accidentally discoverable. What information is on your sign in sheet? How are the computer screens hidden from view? Are programs left open with client data on the screen? PERSONAL PRIVACY 25 26 Catholic Charities collects, maintains and uses employee personal information to satisfy business needs and conform to applicable legal requirements. Catholic Charities preserve privacy for the employee, by limiting access only to those who have a legitimate need to know. 7

Personnel files are continually reviewed and updated. Examples of personal information which may be in personnel files include, but are not limited to: Hiring Information: employment applications, résumés, employment offer letters, acceptance letters, commendations, verification (copies) of credentials, employment references, verification of employment eligibility (I-9), criminal records check information and/or notification of charge(s)/conviction(s) of criminal offense(s). Wage or salary information: compensation change documentation. Work-related information: performance evaluations, hire dates, disciplinary warnings, layoff notices, documentation pertaining to leaves of absences, attendance records. 8

Educational information: documentation from high schools, colleges, technical schools, training courses and workshops, system and site orientations, acknowledgement of receipt of employee handbook. A separate employee benefit file is retained for each employee. This file is separate from the personnel file. Benefits information may include: Birth date, medical records, authorization to pay deductions and withholdings and retirement records. This information is only released on a strict need to know basis. An employee must authorize, in writing, the release of information from his/her personnel file if the request is from an external source. 9

Information is released in response to authorized requests from law enforcement agencies, including investigations, summonses, subpoenas and judicial orders. Catholic Charities does not need to inform an employee that personal information has been disclosed to law enforcement agencies if it concerns an investigation of the employee s conduct, especially when the employee s actions endanger other employees, security and/or property. The information discussed above references the paper personnel files maintained by the Human Resources Department. Please note the same rules regarding the confidentiality of employees personal information applies to electronic files. 10

Additionally, the requirement to maintain the confidentiality of employees personal information extends beyond employees of the HR department and applies to employees of the Finance department and also employees of the Information Services department. More broadly, Catholic Charities expects that any employee who may gain knowledge of employee personal information in the course of his or her work, will maintain the confidentiality of that information. 11

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback