400 likes | 570 Views
Confidentiality/HIPPA. Electronic Protected Health Information. EPHI:. Examples of EPHI Patient names Diagnosis Date of birth / Age Address / Room number Social Security number Test results Past health conditions Treatments and medications
E N D
Electronic Protected Health Information EPHI: • Examples of EPHI • Patient names • Diagnosis • Date of birth / Age • Address / Room number • Social Security number • Test results • Past health conditions • Treatments and medications • Account number, or any number that is specific to a patient.
It is our RESPONSIBILITY to protect the IDENTITY of our PATIENTS!
Staff Awareness & Training • Security Training is necessary for all workforce members who may or may not access protected health information. • Education is provided initially to employees during orientation and annually to employees during Race Day. • Periodic Newsletters prepared by the Privacy/Security Officer, Joan Engels, containing new information and reminders may be sent out through department wide email, posted by time clocks, attached to the Adams Family Newsletter, and delivered in the physician mailboxes.
Employees Access To Their Own Electronic Record • It is inappropriate to access your own ePHI without following the proper procedures as that of a patient. • If it is not your immediate job responsibility, the same applies to family members, co-workers, and friends.
Employees Access To Their Own Electronic Record • Adams Health Network is responsible to protect the integrity of all medical records. • Preventing employees from gaining unauthorized access to their own record reduces the potential for an incorrect record. • Accessing your own ePHI is a violation of the Minimum Necessary Rule Policy.
Employees Access To Their Own Electronic Record • Discrimination: If we were to allow employees the right to access their own record without following appropriate procedures, it would be unfair to employees with less security. • Clean Audit: When running audits, if there is personal access to employees, co-workers, and family records this raises concern for a HIPAA violation and a detailed audit is performed. • Accessing your own record is a violation to our Sanction Policy and disciplinary action will be implemented.
Employees Access To Their Own Electronic Record • Employees are not to access the ePHI of their family, co-workers, friends, etc. if it is not to do their job. • Access of this nature is flagged on audits, therefore when in doubt, do not proceed and rather request another co-worker to complete the task. • Even if an employee or physician requests you to retrieve their ePHI, they should be encouraged to use the proper procedure for authorization and access.
Employees Access To Their Own Electronic Record • Employees are not to access their own ePHI for any purpose. • If employees unintentionally access their own PHI, (for example: transcriptionist automatically retrieves a dictation of their own outpatient consult) the process is to: • Exit out of the ePHI ASAP • Report the occurrence to their manager. • The manager will have the employee complete the form: Unintentional Access to ePHI and maintain this document in case an audit identifies the alleged • breach.
Employees Access To Their Own Electronic Record • Test Patients During Training • Use a Test Patient rather than Yourself, Family Member, Friend, or Co-Worker for training purposes. • (Contact IT Dept. if you need the name of a test patient.)
Employees Access To Their Own Electronic Record • Appropriate Process to Gain Access to ePHI: • If the task that needs to be done is part of your job responsibility, you must act as a “patient” and go through the same channels with another employee to complete the task. • Listed below are examples of appropriate scenarios: • When a registration clerk is scheduled for a radiology test, another registration clerk needs to register her. • When a physician calls asking a radiology employee for that employee’s own chest x-ray report, the employee should hand the request to another radiology employee. • When a Health Information Services employee is scanning and comes across their own documents, they need to give the documents to another employee to scan. • When a lab tech comes across their vial of blood, they should ask another lab employee to result it.
Employees Access To Their Own Electronic Record • Appropriate Process to Gain Access to ePHI: • To retrieve your medical records or those of family members, you (or the patient, if an adult) must proceed to the appropriate department and complete the necessary paperwork. • Necessary Emergency Access: • Only to access your record in the • event that there is no other workforce • member available at the time the • information is required by a health • care practitioner.
Employees Access To Their Own Electronic Record “ Unintentional or Necessary Emergency Access to ePHI” Form: • This form is to be completed when employees “unintentionally” access ePHI or had an incident where "emergency access was necessary." • The employee should then forward the completed form to their supervisor. • When the HIPAA Security Officer audits this account number and presents you with concerns, this documentation will be important to support your employee as to why they accessed the ePHI.
Unintentional or Necessary Emergency Access to ePHI Employee Name: ___________________________________ Employee #:______________ Division: _____________ Department: __________ Supervisor:______________________ Job Description:_____________________________ Date of Occurrence: ____________________ Date of Form Completion:_______________ Account Number Accessed: _________________ Relationship to Employee:____________ Please describe in detail want prompted the unintentional access: Signature of Employee:__________________________________ Date:_______________ Signature of Supervisor:_________________________________ Date:_______________ Supervisors, please keep this for your records. You may have the employee type on the form and “save as” in your network folder to eliminate a paper copy. When we audit this account number and present to you with the concern, this documentation will be important. If you believe there needs to be further investigation now, please forward this information to Joan Engels or Brent Senesac.
What is a breach? The acquirement, access, use or release of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. “Compromises the security or privacy of the PHI” = poses a significant risk of financial, reputational, or other harm to the individual
Most common form of Data Breach: Medical Snooping When a workforce member, because of celebrity curiosity, domestic disputes, or second guessing clinician opinions, accesses a patient’s ePHI without a need to do their job.
Penalties for Breaches • The Secretary of Health and Human Services will base its penalty determination on the nature and extent of both the violation and the harm caused by the violation. • The maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year. • The minimum civil monetary penalties are tiered based upon the organization’s perceived liability for the HIPAA violation.
Tier A – If the offender did not know $100 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $25,000. Tier B – Violation due to reasonable cause, not willful neglect $1,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $100,000. Tier C – Violation due to willful neglect, but was corrected $10,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $250,000. Tier D – Violation due to willful neglect, but was NOT corrected $50,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $1,500,000.
AHN HIPAA Violations for 2011 • AHN had 17 HIPAA privacy/security violations (18 complaints) • Notified 29 patients whose PHI we breached • Reported 3 cases to U.S. Department of Health & Human Services (DHHS), • Office of Civil Rights re: our actions for these 29 patients • Terminated one staff member, suspended (unpaid) one staff member • and had a Business Associate terminate one of their staff members
AHN 2011 HIPAA Violations Disclosed PHI to incorrect patient – 5 Violations 2. Faxed PHI to the incorrect fax number – 4 Violations 3. Accessed PHI NOT needed to do their job – 2 Violations 4. Sent PHI in an e-mail outside of “adamshospital.com” without encrypting it – 1 Violation. 5. Left PHI in cafeteria – 1 Violation 6. Put PHI on facebook – 1 Violation 7. Released PHI without proper authorization – 1 Violation 8. Business Associate issues – 2 Violations
Disciplinary Action for HIPAA violations • Determined on a case-by-case basis and depend upon the severity of the violation • Action can range from a verbal warning with remediation to suspension or termination • Disciplinary actions is maintained in the employee’s personnel file
Sanctions for Privacy & Security Related Issues 3 Levels of Sanctions: Level 1:Carelessness Level 2: Curiosity or concern Level 3: Personal Gain or Malice
Level 1 Carelessness • Employee unintentionally or carelessly accesses, reviews or reveals PHI to him/herself or others without a legitimate need to know
Carelessness • Examples: • Employees discussing PHI in public areas; • Employees leaving copies of PHI in publicly accessible areas; • Failing to log off computer terminals when left unattended; • Accessing his/her own medical record; • Requesting another employee to access his/her medical record; • Sharing passwords; • E-mailing PHI outside the organization (excluding the domain: adamshospital.com); • Not securing the storage or disposal of laptops, CDs, and other portable devices containing electronic PHI.
Disciplinary Sanctions • Considering the facts on a case-by-case basis actions could include the following (and are not necessarily progressive): • Training/counseling; • Verbal warning and training; • Written warning and training; • Final written warning or suspension (unpaid); • Termination.
Level 2 Curiosity or Concern • Employee intentionally accesses, reveals or discusses PHI for purposes other than the care of the patient or as needed to perform their job—but unrelated to person gain. • Level 2 violations are a purposeful disregard to organizational policies.
Curiosity or Concern • Examples: • Employees looking up birth dates or addresses of friends or relatives; • Employees accessing and reviewing medical records out of curiosity or concern; • Employees reviewing public personality’s medical records; • Releasing PHI inappropriately; • Employees inappropriately accessing daily census reports; • Repeated Level 1 violations • .
Disciplinary Sanctions • Considering the facts on a case-by-case basis the actions could include the following (and are not necessarily progressive): • Oral warning with training. • Written warning with training. • One to three day suspension (unpaid) with training. • Termination of employment.
Level 3 Personal gain or Malice • Employee accesses, reviews or discusses PHI for personal gain or with malicious intent and there is a malicious disregard of organizational policies
Personal gain or Malice • Examples • An employee reviews a patient’s medical record to use information in a personal relationship; • An employee compiles a mailing list for personal use or to be sold for monetary gifts; • Releasing data for personal gain; • Destroying or altering data intentionally; • Releasing data with the intent to harm an individual or the organization; • Repeated Level 2 violations • .
Disciplinary Sanctions • Considering the facts on a case-by-case basis actions could include the following (and are not necessarily progressive): • One to three day suspension (unpaid) with training • Dependent upon the severity, termination of employment.
Reporting Violations • Individuals who observe or are aware of suspected violations must report them to either their Department Manager or to the Privacy Officer, Joan Engels, in a manner that maintains privacy of both the patient(s) and the employee(s). • If it is your Department Manager who is committing the violation report it to the Department Manager’s supervisor or Joan Engels.
All HIPAA violations and disciplinary action will be maintained in the employee’s personnel file