1 / 35

Comprehensive HIPAA Training Santa Barbara County Public Health

Learn HIPAA basics, recent experiences, corrective actions, and how to report compliance issues. Understand auditing, monitoring, and resources. Mandatory for new hires, volunteers, and business associates. Protect PHI to prevent identity theft and comply with HIPAA laws. Training covers breach assessments, penalties, and safeguarding PHI.

lgilliam
Download Presentation

Comprehensive HIPAA Training Santa Barbara County Public Health

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Training 2019 Santa Barbara County Public Health Department

  2. Training Objectives • Training Requirement Update • HIPAA Basics • Recent HIPAA Experiences and Corrective Actions • Business Associates and HIPAA • How do I report Compliance and HIPAA issues? • Auditing and Monitoring • Resources for more information • Online quiz at the end

  3. HIPAA Training Requirements for Public Health Workforce • Mandatory for: • All new hires and volunteers prior togetting computer access. • Annual refresher training for all workforce members • Business Associates working with PHI on behalf of the PHD, whocan also involve the PHD in a privacy incident. • Corrective Action plan update trainings are targeted to select employee groups only (e.g. clinic) as the result of an incident. • County now provides a separate Cybersecurity training. • Healthcare Providers are all held to the highest Federal standards regardless of practice location. • Licensed practitioners may also have additional state legislative and licensing board requirements. • Mandated investigations and reporting of possible HIPAA violations to state DHCS and the federal government. Training Requirements Administrative Requirements

  4. Protected Health Information (PHI) • Any information transmitted or maintained in any medium. Hardcopy or Electronic (e-PHI) format • Includes sensitive personal health information • By protecting PHI we are also preventing identity theft. • Breaches of information such as social security numbers, patient name and date of birth can lead to identity theft. • PHI Identifiers include full face photograph, address, date of birth, date of service. • Health Privacy Breaches – Unauthorized Access to this Personal, Protected Health Information • A Formal Breach Assessment Process is required.

  5. Protection of PHI is Covered By: • HIPAA Laws as enforced by the Federal Government. Civil Penalties up to $25,000 for failure to comply. Did you know? Cottage Hospital received a $3,000,000 fine in 2018 for alleged HIPAA violations of over 62,000 patients. Criminal penalties: • $100,000 fine and 5 years prison for obtaining and disclosing through false pretenses. • $250,000 fine and 10 years prison for obtaining and disclosingfor commercial advantage, personal gain, or malicious harm. • $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information. • The Public Health’s Notice of Privacy Practices (NPP) • You as an employee by following the PHD’s policies and procedures.

  6. Safeguarding PHI: a review • Pay attention to detail when entering names and numbers to ensure that it matches the right patient. • Be mindful of your surroundings when discussing PHI in public or areas in which conversations may be overheard. • Protect the PHI that you are handling. Keep it safe and secure at all times. • Place PHI in designated shred bins to ensure that the information is not mistaken for trash. • Turn over/cover PHI when you leave your desk or cubicle so others cannot read it. • If you don’t require access in order to perform the functions of your job,then DO NOT access the information. Protecting PHI is up to YOU

  7. What is a Breach? A breach is the release of protected health information without authorization. • Involves a formal investigation, reporting, & notification. • Timely reporting of breaches is essential to ensure compliance with both state and federal requirements. • Patient must notified of the breach without unreasonable delay (within 60 days). • If you suspect you might have a breach or are unsure, report it!

  8. It’s Important to Report HIPAA Violations Immediately! • So they can be investigated, managed, and documented. • So they can be prevented from happening again in the future. • So damages can be kept to a minimum. • To minimize your personal risk. • In some instances, affected parties of lost, stolen or compromised PHI will need to be notified as required by law. If you are unsure if an incidental disclosure needs to be reported, report them to your Supervisor or Privacy Officer anyway.

  9. Stop and Think

  10. Stop and Think - Don’t Post!Did an emergency medical services worker in Tennessee commit a HIPAA violation with a Facebook post that described the peculiar location of an emergency response—a chicken coop? “The EMS worker was part of a team that responded to a call about …(“Mr. X”), who had suffered a heart attack in his chicken coop. "The first responders arrived and started CPR on him while I held his hand and sat next to him," his wife (Mrs. X.) … told USA Today Network- Tennessee. Later, the EMS worker posted on her Facebook account, “Well, we had a first…We worked a code in a chicken coop! Knee deep in chicken droppings.” …The worker also wrote, "It was awful," and "I'm pretty sure y'all could smell us in dispatch." Mrs. X. called the Roane County EMS to complain about the post. She then spoke with Roane County Executive Ron Woody, who apologized… Woody told USA Today Network-Tennessee: “We had an employee that should not have been on Facebook discussing anything regarding her work.” Mrs. X. is considering filing a lawsuit against the county. "Even though she did not mention his name, she said it was the first time they had ever had a call in a chicken coop. Everybody knows where my husband died.“” By Fred Donovan June 4, 2018 https://healthitsecurity.com/news/did-ems-worker-commit-hipaa-violation-with-facebook-post?elqTrackId=1bb4aec48b0b4a50aa5daf8622fb91dc&elq=fa79203f533a4c4a905f140b055afca8&elqaid=5752&elqat=1&elqCampaignId=5351

  11. Photos and Patients: Think Before You Click!Linda J. Garrett, JD, Risk Management Services and CSAC consultant for SBCPHD “Recently a small rural hospital’s skilled nursing facility heard from an attorney after a Volunteer who helped with an outing to a local farm posted pictures of some of the residents on her Facebook page. The attorney’s question: did you get written consent from my client before taking those photos? As we all know, HIPAA and other privacy laws protect our patient’s medical information and clinical records, but did you know that those same laws protect their image as well? If the image can be matched to an individual and an inference can be made that the individual is receiving services from us, that fact alone (that the person is our patient) is sufficient to constitute a breach! Federal and State privacy laws, as well as accreditation standards and Conditions of Participation all require that we take this issue seriously, and that we have policies and procedures in place to protect our patient’s privacy and assure that we have proper consent before we use images or recordings for purposes other than patient identification and care.

  12. Continued:For that reason, employees and staff should NEVER photograph, record or videotape activities or individuals without specific written consent from the patient and approval from the risk management team. Patients and visitors should also be asked to NOT take photographs at our facility unless they are absolutely certain that no one else is in the picture who hasn’t agreed to pose! A cute photo of mom and new baby could unintentionally capture the image of another patient who might not want the world to know that she has just given birth. Similarly, a fun photo of a high school athlete at our orthopedic clinic after his cast has been removed could catch someone else grimacing in pain as they get up from their chair in the waiting room to go in for an appointment – not their best face, and certainly not something they want their co-workers, friends or family to see.”

  13. Stop and think • Things to consider before you pull out your device to take a photo: • Do you have consent from every patient whose image might be in the picture? • Has the device been approved by IT Security Officer and does your employer’s policy permit this? • Even if it is not a violation of HIPAA, State law, or other rules and regulations, does your employer policy permit it? • Is the purpose of the photo something that your chain of command and risk management team has approved? • And, if you haven’t checked all of the above boxes, before you click, ask yourself, “is it worth a call from an attorney?”

  14. Precautions with Portable Electronic Devices including camera or flash drives A camera with infant security photos went missing when a nurse failed to store the camera in its normal secure location at Roper St. Francis, Mount Pleasant Hospital. The breach affected the protected health information (PHI) of 508 newborn patients. The types of PHI on the camera included photographs of patients, patients’ last names, dates of birth, and providers’ names. In response to the breach, on December 4, 2016, the covered entity (CE) ended the procedure of taking security photos of newborns and staff members were advised to continue to ensure the safety of infants by identifying them with appropriate matching bracelets, utilization of the infant security tags and system, and education to the family. Corrective Action Plan: The Hospital) implemented an Information Services Security Incident Response Procedure to facilitate timely and effective handling of all cybersecurity computer incidents and trained staff in the affected unit on its HIPAA policies and procedures. (It) provided breach notification to HHS, the parents of affected newborns and the media. (It) offered credit monitoring and identity protection services to affected individuals and established a call center related to the breach. OCR obtained assurances that the CE implemented the corrective actions listed above.

  15. Stop, Think before you Connect • Use of outside vendors to print images • Use of USB devices and Digital Cameras to store and transport ePHI • Use of Personal Cellular phones to photograph patients • Unencrypted Desktops • Use of File Shares to Store ePHI

  16. Alternative Means of Communication • Includes Texting, Email, Etc. • Requires special written consent from the patient for PHD staff to contact them under HIPAA guidelines • New policy and improved technology options under review by PHD – appointment reminders, etc.

  17. Recognizing a Breach Health Privacy Breaches – Unauthorized Access to Personal, Protected Health Information Protecting someone’s healthcare information is part of our Mission and our Values. It is also a Trust bestowed upon us by our patients.

  18. Recognizing a PHI Breach

  19. Recognizing a PHI Breach

  20. Investigation of a Privacy Breach • PHD Privacy Officer, with assistance from PHD Security Officer if electronic media (EHR, fax, phone) are involved, conducts the investigation. Interviews and electronic data reviews are used to determine if a breach occurred. • Security Investigation can involve screen by screen review of employee’s EHR sessions as well as e-mail. • Suspected breaches and investigation outcomes are reported to the PHD Compliance Offier, the County Privacy Officer,and may be reported to HR depending upon the circumstances.

  21. Breach Assessment Process • The Public Health Department’s Privacy and Security representatives must do an assessment on every potential reportable breach. • This information is reported to the PHD Compliance Officer. • The County Privacy Officer is Celeste Anderson J.D., a Behavioral Wellness employee, at (805) 934-6344. • The County Privacy Officer, PHD Privacy Officer and PHD Security Officer meet regularly and work collaboratively.

  22. First EHR Breaches • occur • at PHD. • Deliberate and • Inappropriate • Access of e-PHI. # PHD Patients impacted by breaches increased significantly from 2014 -2015

  23. Potential for Breaches Increased due to Misuse of Technology

  24. An Ongoing Cause of Breaches -NotUsing Encrypted (secure)County E-Mail • Be sure to use the County’s Secure E-mail whenever you send PHI to someone or something, including a hospital or another medical provider who is outside the Santa Barbara County e-mail system. • It’s fast and easy. Type [secure] immediately after the last word in the subject line with no spaces between the word and the first bracket. • Instructions can be found in: the PHD intranet home page in the section for http://phdhome.sbcphd.org/apps/content/contentitem.aspx?ID=8032(Search from your work computer)

  25. Safeguard PHI Steps to Keep a Clean Machine • Validate the identity of anyone asking for confidential information. • Don’t open emails from strangers and don’t click on unfamiliar sites. • Make sure you change your passwords often and avoid using the same password on multiple sites. • Always enter a URL by hand instead of following links. • Report suspicious or unsolicited e-mails from unknown sources to IT Help Desk or Security Officer. • Report any strange popups or behavior by your computer to IT Help Desk.

  26. Where to find more information • E-mail procedures and best practices- No ePHI in un-secured email. Email policy: http://phdhome.sbcphd.org/apps/content/contentitem.aspx?ID=8883 • How to send secure email: http://phdhome.sbcphd.org/apps/content/contentitem.aspx?ID=8032 • Contacting the PHD IT Help Desk: http://phdhome.sbcphd.org/apps/content/contentitem.aspx?ID=5094 • Destruction of sensitive information: Physical disposal in locked shred bin, electronic disposal. Shred bin policy: http://phdhome.sbcphd.org/apps/content/contentitem.aspx?ID=8623 • Where to store (and not store!) ePHI: http://phdhome.sbcphd.org/apps/content/contentitem.aspx?ID=9593 • Role of the Office for Civil Rights- prosecutes HIPAA violations http://www.hhs.gov/ocr

  27. Auditing and Monitoring How does this impact me?

  28. Audit Trails: Accessing More Than the “Minimum Necessary” • We may only access the minimum necessary to complete our assigned job responsibilities. • This means we may not access information out of curiosity or don’t have a reason to for our job duties.

  29. Audit Trails of What I AccessThe Security Regulations require this • The PHD conducts random audits of employee and contractor access to determine: • Appropriateness of access, and • if access is based on PHD’s Access policies. • Audit trails show what patient records have been accessed, the date and time of the access, what was accessed, etc. • If access appears to be inappropriate, the Privacy Officer along with the Security Officer initiate an investigation to determine if a Breach has occurred.

  30. Audit trails:Securing Systems Example 1: When leaving his/her computer, an employee didn’t log off the EHR; another employee then utilized it to look-up her neighbor’s medical information. Important Note: In this situation, both employees did not follow PHD policies and procedures which require: • Logging off/securing all applications when unattended. • Using the password protected screensaver when leaving unattended. • Not using another person’s login

  31. Audit Trails: Accessing More Than the “Minimum Necessary” Example 2: A clinical staff employee is assigned to routinely view and update medications, blood pressure, pulse, and weight for each patient seen by the provider she works with. She saw a friend receiving care from another provider and was curious about her friend’s outcomes and decided to view that patient’s record. Note: This was determined to be a breach of patient confidentiality as the employee was not requested by her provider and/or supervisor to access the other patient’s records.

  32. How do I report a Privacy or Security Violation? • Report to your Supervisor, who will then report to the Privacy and/or Security Officer. • Complete a Health Information Privacy Complaint form (HCS-535) located on the PHD Intranet Resources. • Fax completed form to the confidential fax number located on the form or send the scanned form to phdcompliancereporting@sbcphd.org . • Notify the Privacy Officer and/or Security Officer once you have sent the document. If you wish to report information anonymously, you may use the compliance reporting form on the PHDWebsite at www.countyofsb.org/PHD

  33. Final Reminders • Access to online medical records is audited. • Youwillbe held responsible for any inappropriate access done using your accounts. • Do not share passwords. Secure your session. • Log off or lock your workstation when you step away. • Do not look up any information that is not required for your job, which means your co-workers’ records, your own or your family’s records, or any other patient, even a VIP individual. • Dispose of confidential information in secure shred bins. • Our patients have entrusted their care to us and need the assurance that all information, both personal and medical will be confidential and not used for personal curiosity or gain. Thank you for Protecting Our Patients’ Information!

  34. Privacy and Security Contacts for the Public Health Department • Compliance Officer: Suzanne Jacobson • Email: Suzanne.Jacobson@sbcphd.orgPhone: 844-351-0659 • Privacy Officer: June English • Email: June.English@sbcphd.orgPhone: 805-681-4783 • Security Officer: Janine Neal • Email: Janine.Neal@sbcphd.orgPhone: 805-346-8424 Toll-free Number for Compliance Reporting 844-351-0659

  35. Required Evaluation Why: to help us assess the usefulness of this training and document that you have completed this course. To complete the course: • You may use this power point as a reference during the quiz. • You must receive 80% or higher to pass the evaluation and to complete your training. You can retake the evaluation again until you reach 80%. The evaluation is scored automatically and will show you the correct answers after completion. • Use the hyperlink below to access the evaluation questions on Survey Monkey. If the link does not work or take you to Survey Monkey you may cut and paste the link into your internet browser to access the evaluation https://www.surveymonkey.com/r/DX59X2H

More Related