350 likes | 534 Views
2013 FCSRMC HIPAA TRAINING. Presented by Carol Crews, CMPE. What is HIPAA?. Health Insurance Portability and Accountability Act (HIPAA) of 1996
E N D
2013 FCSRMC HIPAA TRAINING Presented by Carol Crews, CMPE
What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) of 1996 • Congress called for the Department of Health & Human Services to develop standards and requirements for the electronic transmission of health information • Title II - Administrative Simplification provision - provides legislation around privacy, security and electronic data In a constantly changing environment, FCSRMC is committed to educating employees about healthcare information concerning HIPAA.
Six Key Areas of HIPAA • Standardization of Electronic Transactions & Code Sets • Privacy • Security • National Provider Identifiers • Electronic Signatures • Electronic Medical Records
What is a Covered Entity (CE)? • A covered entity includes a health plan or payor (including government payors), a healthcare clearinghouse such as a billing service, or a healthcare provider such as a physician, hospital, or pharmacy. (Does not include Life, Worker’s Comp, Disability or Property and Casualty plans). • All healthcare providers who transmit any healthcare information in electronic form, which includes telephones, fax machines and computers, are considered covered entities. • FSCRMC, acting as the covered entity and it’s member colleges, acting as the plan sponsor, have undertaken fiduciary duties to the plan. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA. This may include hospital and medical benefit plans, dental plans, vision plans, health flexible spending accounts and employee assistance plans.
What is a Business Associate? • Covered Entities (CEs) must have contracts from any third party or business associate who may have access to PHI while carrying out certain functions or activities on behalf of the college or covered entity. Business Associates includes vendors, contractors and subcontractors for CEs. • Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations. • Business Associates must notify the CE if they discover a data breach and must include the ID of each subject and any other information that the CE is required to include in the notice of a breach.
What is Protected Health Information (PHI)? • Anything that connects a patient or employee/individual to his or her information • Medical records and health data containing individually identifiable health information • Names, identification numbers (social security number, address, phone number), medical records, physician’s personal notes, and billing information
What is Individually Identifiable Health Information (IIHI)? Any health information that is collected from the patient/individual, or created or received by a Covered Entity, that could potentially identify an individual such as: • the past, present or future physical or mental health or condition of an individual • the provision of healthcare • the past, present or future payment for the provision of healthcare by your college
Examples of IIHI • Names • Geographic subdivisions smaller that a state (city, street address, county, precinct, zip code) • All elements of dates (birth date, admission date, discharge date, date of death). Exception - years • Telephone & fax numbers • E-Mail address • Social Security Numbers • Medical records numbers • Health plan beneficiary numbers • Account Numbers • Certificate/license numbers
Examples of IIHI Other Examples: • Vehicle identifiers and serial numbers, (including license plate numbers) • Device identifiers and serial numbers • URL’s (Uniform Resource Locator) • IP Address numbers • Biometric identifiers, including voice and fingerprints • Full face photographic images • Any other unique identifying number, characteristic, or code
HIPAA’s Privacy Rule HIPAA’s Privacy Rule covers the use and disclosure of PHI for: • Individually Identifiable Health Information (IIHI) held or disclosed by a health plan regardless of how it is communicated (electronically, verbally, or written) • Information shared, examined, applied or analyzed by a covered entity that receives or maintains it • Information that is disclosed when released, transferred, allowed to be accessed or divulged outside the entity • Patient or employee/individual rights over health information
Privacy Compliance HIPAA's Privacy Rule is everyone's business ‑ from the CEO to the maintenance staff. It protects our fundamental right to privacy and the confidentiality of our medical information. Basically, the HIPAA Privacy Rule: • Imposes restrictions on the use and disclosure of personal health information • Created new rights for individuals concerning their health information
Consent and Authorization Covered entities cannot share PHI without the individual's awareness of their privacy rights. To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions. Consent can be revoked by an employee/individual (patient) in writing. It is the policy of FCSRMC and it’s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it’s member colleges is not obligated to grant the request.
Consent and Authorization A summary of the Privacy Notice that is brief and written in plain language will be provided to the employee/individual. It will outline: • How PHI will be used and disclosed • The patient/employee's privacy rights, date, and patient or patient representative's signature • Refer patient to review the organization's Notice of Privacy Practices This should be provided by the Group’s Health Plan TPA to the Group Health Plan participants.
Consent and Authorization Authorization: • Can be requested for specific purposes • For use/disclosure of PHI outside the health care facility for the continuum of care • Generally, for reasons other than treatment, payment and health operation purposes • Only covers use/disclosure outlined in the form • Must have an expiration date Authorization forms must contain: • Description of PHI to be used/disclosed • Name of Covered Entity authorized to use/disclose • The party to whom PHI will be released • Date, signature and expiration date
Under what condition can PHI be used or disclosed? The individual who is the subject of the information: • has authorized the use or disclosure • has received the Notice of Privacy Practices developed and distributed by your third party administrator (TPA) thus allowing the use or disclosure, and the use or disclosure is for reatment, payment or health care operations • agrees with the disclosure via the authorization form or a signed copy of this Privacy Policy and the disclosure is to persons involved in the processing or assistance of health care claims • is provided the disclosure for compliance-related purposes
Under what condition can PHI be used or disclosed? • The use or disclosure is for one of the HIPAA “public purposes” (i.e. required by law, etc.) • The information is disclosed for the purposes of a judicial or administrative proceeding only when accompanied by appropriate documentation and directed to the TPA. • Patient Health Information will never be utilized to make employment decisions (hiring, termination, promotion)
Employee (patient) Rights The Privacy Rule gives employees/individuals the right to: • Review the Notice of Privacy Practices • Review past access and request amendments • Limit access to PHI - Access is limited to people who need it for their specific job function and only the minimum necessary to accomplish the assigned job function
Employee (patient) Rights The following requests should be directed to and processed by the Group’s Health Plan TPA: • Request a review and/or amendment of the health record • Restrict disclosures • Have access to his/her own PHI • Receive a PHI disclosure for disclosures that have occurred outside the TPO relationships
Employee (patient) Rights • File a written complaint if privacy is violated. • Complaints should be directed to the college’s privacy contact, and any intimidating or retaliatory acts is prohibited. • Know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. • Physical protection of premises and PHI • Technical protection of PHI maintained electronically • Administrative protection
Enforcement of HIPAA Compliance The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) has been assigned the authority to enforce the Privacy Rule. The OCR has several responsibilities: • Investigating complaints it receives from individuals who believe that a Covered Entity is not complying with HIPAA privacy requirements • Providing Covered Entities with assistance in order to achieve compliance • Making determinations regarding exceptions to state law pre-emption. Any person or organization can file a complaint with OCR, but complaints typically must be filed within 180 days of the occurrence of an action in violation of the Privacy Rule.
HIPAA Security Rule Security encompasses the measures organizations must take to protect information within their possession from internal and external threats. The Security Rule: • Focuses on requirements for safeguarding PHI in the electronic form through policies, procedures and technology in order to preserve confidentiality, integrity and availability of electronic PHI. • Mandates that PHI is concealed from people who do not have the right to see the information. • Mandates integrity of data by ensuring information has not been improperly changed or deleted.
Create PHI “Firewalls” • Establish an “accounting” procedure to track uses and releases of PHI • Limit access to only those employees that require it (“Minimum necessary”) • “Minimum necessary” use must identify persons or classes of persons who need access to PHI to carry out their duties • “Minimum necessary” use must identify the categories of PHI for each person or class of persons (job descriptions is one of the most common areas)
Threats to Your PHI and Your Company • Current and former employees (malicious intent, curiosity, carelessness) • Visitors • Business Associates • Hackers, criminals, terrorists • Improper use or disposal of PHI
Security Safeguards • Ensure that security plans, policies, procedures, training and contractual agreements exist • Establish an employee termination policy • Security incident reporting system (report, respond, repair) • Procedures that address staff responsibilities for protecting data • Security safeguards that protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion • The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included
Maintain Documentation Maintain the following documentation for six years, unless a longer period applies: • All necessary policies and procedures. Ensure changes to policies and procedures are not implemented until documented and appropriate persons are notified. • Business Associate Agreements • Patient Acknowledgement of Privacy Policies
Maintain Documentation • Authorization forms • Notices and amended notices • Training of employees • Patient/employee complaints and their disposition (this must be documented on the complaint form and forwarded to FCSRMC) Your organization must cooperate with an OCR investigation or compliance review should these occur.
Medical Information – Personnel Records In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law. However, the Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filedseparately from personnel records. Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations. Medical paperwork that should be filed separately includes the following: • Reports from pre-employment physicals • Drug and alcohol testing results • Workers' compensation paperwork • Medical leave of absence forms • Disability paperwork • Insurance applications that reveal pre-existing conditions • Anything that identifies a medical issue
What is a Breach? • Impermissible use/disclosure of PHI which poses significant risk or harm such as financial, reputational, or other harm. • A Covered Entity (CE) that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured PHI must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed due to a breach. • It is not a breach if there is good faith belief that the disclosure was to an unauthorized person who would not be able to retain the PHI. • It is not a breach it if is unintentional acquisition or use in good faith in the course and scope of employment to someone authorized to access PHI.
Penalties under HIPAA Improper use or disclosure of PHI can result in the following fines and/or imprisonment, as set forth under HIPAA: • If offender did not know, and by exercising reasonable diligence would not have known that he/she violated the law: $100 - $50,000/violation for identical violations. • If the violation was due to reasonable cause and not willful neglect: $1,000 - $50,000/violation for identical violations. • If the violation was due to willful neglect but was corrected: $10,000 - $50,000/violation, and imprisonment up to 5 years. • If the violation was due to willful neglect and was not corrected: $50,000 and imprisonment up to 10 years. Maximum for all violations of a single standard in a year: $1,500,000.
How important is it to you that your records remain private and confidential? If records are placed in the wrong hands, it can negatively impact your personal safety, job security, or relationships. • Do not share Personal Health Information without prior consent or authorization. Always ensure that the information is being sent to the correct person by never releasing information without referring to the consent or authorization. • Use and disclose the minimum necessary to protect patient privacy. • Remember, privacy is everyone's business. HIPAA is a federal law that all must abide by.
Key Points • Identify systems/areas that have covered data (paper and electronic) • Secure your PHI (paper and electronic) • Ensure your HIPAA policies and procedures are updated and that the location is known by all applicable staff • Assign internal roles and responsibilities • Encrypt data at rest / in transit
Key Points • Provide initial training at hire and annually thereafter. Use the group attendance log as documentation. • Maintain a separate employee health file. • Keep all protected information in a limited access area and under lock and key.
How Can Staff Help? • Manage your password – Do not write password anywhere and do not share with anyone • Use workstations properly • Know FCSRMC’s sanction policies • Learn and follow the college’s policies and procedures • Don’t leave information open and unattended • Lock computer, desk and file cabinets when you leave • Use the shredder when destroying information