1 / 75

Domain V - Privacy , Security, and Confidentiality (13% )

Domain V - Privacy , Security, and Confidentiality (13% ). RHIA Prep Workshop Test Year 2014. Objectives. 1 . Design and implement security measures to safeguard Protected Health Information (PHI) 2 . Manage access, disclosure, and use of PHI to ensure confidentiality

archie
Download Presentation

Domain V - Privacy , Security, and Confidentiality (13% )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain V - Privacy, Security, and Confidentiality (13%) RHIA Prep Workshop Test Year 2014

  2. Objectives 1. Design and implement security measures to safeguard Protected Health Information (PHI) 2. Manage access, disclosure, and use of PHI to ensure confidentiality 3. Investigate and resolve healthcare privacy and security issues/problems 4. Develop and maintain healthcare privacy and security training programs

  3. What is PHI? As Per HIPAA’s Privacy Rule “Individually-identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral

  4. Individually-identifiable Health Information Demographic data, that relates to: • the individual’s past, present or future physical or mental health or condition or • the provision of health care to the individual or • the past, present, or future payment for the provision of health care to the individual

  5. IIHI… And …that identifies the individual Or … provides a reasonable basis to believe can be used to identify the individual Examples of common identifiers: name address birth date Social Security Number

  6. Ownership of Health Record • Physical Record = property of provider • Information in the Record • Patient has the right to access the information* • Patient has an interest in the content • Patient has limited rights to control the disclosure and use of content *Except psychotherapy notes

  7. Confidentiality A legal as well as ethical obligation between health care professional and patient However… sharing PHI enables other health care professionals to care for patients more efficiently and safely

  8. Confidential Information • Information derived from clinical relationship • Information given in the belief that it will not be disclosed to another party • Information that has some connection with the provider’s task of caring for the patient

  9. Super Confidential Information HIV status Pregnancy termination History of mental health problems History of drug and alcohol abuse ALWAYS requires Express Consent

  10. Release of Information • Express authorization is required before release to: • Patient's attorney or insurance company • Patient's employer, unless a worker's compensation claim is involved • Member of the patient's family, except where the family member has been appointed • The patient's attorney under a durable power of attorney for health care • Government agencies • Other third parties as designated by law

  11. Release of Information Permittedwithout patient’s express authorization for: To the Individual (unless required for access or accounting of disclosures) Treatment, Payment, and Health Care Operations Opportunity to Agree or Object Incident to an otherwise permitted use and disclosure Public Interest and Benefit Activities Limited Data Set for the purposes of research, public health or health care operations Rely on professional ethics and best judgments in deciding

  12. Release of Information Before forwarding medical records to an • MCO • utilization review programs • other health programs • physicians, hospitals, and others it is recommended to get the patient's express permission for release of medical records

  13. Release of Information Form Description of specific information to be used or disclosed Name of person/entity disclosing PHI Name of person/entity receiving PHI Expiration date Ability to revoke Authorizing signature

  14. Release of Information Failure to get the patient’s release for medical records may have serious results 21 States punish improper disclosure of confidential information by revoking a physician's medical license or taking other disciplinary action

  15. Types of Consent Implied Consent – implied by patient’s behavior Express Consent – specific and in writing Informed Consent – after understanding

  16. Informed Consent Advising patient: Reasons for the treatment Treatment options including alternatives Prognosis after this treatment Prognosis without this treatment Possible complications of this treatment

  17. Informed Consent Evidence of consent Dated, timed, and signed informed consent prior to treatment Must be included in patient’s record

  18. Consent Needed Consent to Treat – patient has the right to refuse treatment Consent to Release Information (PHI)

  19. Other Consents • Advance Directive • Living will -- DNR (Do Not Resuscitate) • Durable Power of Attorney for health care • Healthcare Surrogate • Subpoena[court order requiring testimony] • Subpoena ducestecum[court order requiring specific documents to be produced]

  20. Who Can Consent Patient [competent adult/emancipated minor] Patient’s legal representative [patient is incompetent or a minor child] Administrator or executor of the patient's estate [patient deceased] Court of law

  21. Amending The Record Individuals have the right to request an amend of PHI in a designated record set when that information is inaccurate or incomplete Amendment request accepted: Provider must amend the record and make reasonable effort to provide the amendment to those needing it, and to those who rely on the information to the individual’s detriment

  22. Amending The Record • Request denied: covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. • The Rule specifies processes for requesting and responding to a request for amendment.

  23. Practice Question #1 Which of the following situations violates the patient’s privacy? Hospital sends out invitation on free childbirth classes to all patients scheduled for delivery Physician on the Quality Improvement Committee reviews patient records Hospital gives pharmaceutical company patient names and addresses for mass mailing of free drug samples Hospital uses aggregate data to determine if a new operating room is needed

  24. Practice Question #2 A patient has requested an electronic copy of her medical record to be sent to her physician. The correct action is ___? None, this is prohibited by HIPAA None, this is prohibited by other laws Patient has right to electronic copy, but only to be sent to the patient Patient has right to electronic copy to be sent to the patient or other designated person

  25. Practice Question #3 The patient has been told that there are some records to which she cannot have access. These are most probably __? Psychotherapy notes Alcohol and drug records AIDS records Mental health assessment

  26. Practice Question #4 Which statements is true about when PHI can be disclosed to family members? Patient’s mother can always receive child’s PHI Family member lives out of town and cannot visit in person Family member is a health care professional Family member is directly involved in patient’s care

  27. Practice Question #5 Protected health information includes: Only electronic individually identifiable health information Only paper individually identifiable health information Individually identifiable health information in any format stored by health care provider Individually identifiable health information in any format stored by health care provider or business associate

  28. Practice Question #6 A subpoena ducestecum is received in connection with a lawsuit. The subpoena does not state whether the named individual is a party to the lawsuit, and, if so, whether the individual is the plaintiff or defendant. In addition, the subpoena does not indicate whether the requesting attorney represents the plaintiff or the defendant in the lawsuit. Which of the following would be the strongest argument for refusing to comply with the subpoena? A. There is neither an actual nor an implied waiver of right to privacy by the patient. B. There is no indication as to whether the named individual is a party to the lawsuit. C. A subpoena must be served by the local law enforcement agency. D. It is not known whether the patient is the plaintiff or defendant.

  29. Security • Maintain physical and electronic protection • Integrity • Availability • Confidentiality • Maintain resources to enter, store, process, and communicate PHI • Utilize tracking system to locate records • Educate personnel re: confidentiality of PHI

  30. Security Integrity = not altered or destroyed in unauthorized manner or by unauthorized person Availability = accessible and usable on demand by authorized person(s) Confidentiality = not used or disclosed to unauthorized person(s)

  31. Security • Protect against reasonably anticipated threats • Unauthorized access • Loss • Theft • Tampering • Destruction

  32. Security “Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.” --HIPAA’s Security Rule

  33. Authentication • Identification and confirmation of identity of users • Who is this user? • Is the user actually who he or she claims to be? • Relies on specific, unique fact • Password • Fingerprint • Security question

  34. Authorization • The level of access permitted • What records can be accessed? • Read only permission • Read and write permissions • Read, write, and edit permissions

  35. De-Identified Information Individually identifiable details are omitted or blacked out Also known as “redacted”

  36. Security Administrative Safeguards Requires a risk analysis to be performed Risk analysis should be ongoing/ performed on a regular basis to evaluate and correct

  37. Administrative Safeguards Identify and analyze potential risks to ePHI Implement security measures to reduce risks and vulnerabilities A Security Officer must be designated to be responsible for development and implementation of security policies and procedures

  38. Risk Analysis • Evaluate the likelihood and impact of potential risks to e-PHI • Implement appropriate security measures to address the risks identified in the risk analysis • Document the chosen security measures and, where required, the rationale for adopting those measures • Maintain continuous, reasonable, and appropriate security protections.

  39. Practice Question #7 You have been assigned the responsibility of performing an audit to confirm that all of the workforce’s access is appropriate for their role in the organization. This process is called___? Risk assessment Information system activity review Workforce clearance procedure Information access management

  40. Practice Question #8 Which of the following is subject to the HIPAA Security Rule? X-ray films stored in radiology Paper medical records Faxed records Clinical data repository

  41. Information Access Management Implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access)

  42. Workforce Training & Management Appropriate authorization and supervision of workforce members who work with e-PHI Train all workforce members regarding its security policies and procedures Apply appropriate sanctions against workforce members who violate its policies and procedures. 

  43. Physical Safeguards • Limit physical access to its facilities while ensuring that authorized access is allowed • Specify proper use of and access to workstations and electronic media • Implement policies and procedures related to the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of e-PHI

  44. Technical Safeguards Ensure only authorized persons have access to e-PHI Record and examine all activities in information systems that contain or use e-PHI Ensure that e-PHI is not improperly altered or destroyed Guard against unauthorized access to e-PHI that is transmitted over an electronic network

  45. Practice Question # 9 Intentional threats to security could include A natural disaster (flood) Equipment failure Human error (data entry error) Data theft (Unauthorized downloading of files)

  46. Practice Question #10 Facility access controls, workstation use, workstation security, and device/media controls are all part of Physical safeguards Technical safeguards Administrative safeguard Organizational requirements

  47. Records Retention • Factors influencing retention of health information: • Health care providers’ ability to continue to provide care, educate, research, and defend a professional liability action • Storage constraints • Historical value • Research and education

  48. Records Retention • Medium for storing records (electronic, paper, etc.) • New technology • Fiscal concerns

  49. Retention Schedule Adult Record = 10 years after last encounter Minor Record = Until age of majority + statute of limitation for malpractice lawsuits Imaging = 5 years Disease index = 10 years Physician index = 10 years Operative index = 10 years

  50. Retention Schedule Fetal heart monitor record = Until age of majority + 10 years Master patient index = Permanently Register of births = Permanently Register of deaths = Permanently Register of surgical procedures = Permanently

More Related