180 likes | 392 Views
Introduction to Client Confidentiality: Privacy & Security (HIPAA/Release of Information). Introduction. You will learn about: PRIVACY -Authorization to Release Information SECURITY -Password protection -Encryption STANDARDIZATION OF TRANSACTION CODE SETS
E N D
Introduction to Client Confidentiality: Privacy & Security(HIPAA/Release of Information) DAVID LAWRENCE CENTER
Introduction You will learn about: • PRIVACY -Authorization to Release Information • SECURITY -Password protection -Encryption • STANDARDIZATION OF TRANSACTION CODE SETS -Standardization of HIPAA transaction standards (5010) -Modification of Medical Data Code Sets (ICD-10-CM) DAVID LAWRENCE CENTER
HIPAA Health Insurance Portability and Accountability Act • Privacy • Privacy Rule protects all forms of Protected Health Information (PHI) including ePHI (electronic, paper, or oral) Protected Health Information: Names Relatives Names SSN Addresses DOB Employers Telephone and fax numbers • PHI – Protected Health Information: which is any client identifying information which if disclosed would provide identifying information about a client and / or their treatment. • ePHI– Electronic Protected Health Information any PHI that is stored, held or transmitted, either permanently or temporarily in any electronic format. • Examples: Email, Documents (Word, Excel, PowerPoint or plain text); electronic reports saved for printing at a later date; PDA’s; Electronic Health Record; Enterprise systems; network shares. • Portability-ensures that individuals moving from one health plan to another will have continuation of coverage and will not be denied coverage under the pre-existing-condition clauses. • Accountability-significantly increases the federal governments fraud enforcement authority for privacy and security • Administrative Simplification- August 2000 standardizes electronic transmissions of health care data DAVID LAWRENCE CENTER
Client Rights to Privacy • Right to have access to their information • Request amendments to their information (DLC has the right to approve or deny their request) • Request revocation of their previously signed authorizations at any time; Any information previously released will not be impacted by the revocation. • Request an accounting of disclosures 1. Paper records-Access to Records Log 2. Electronic Records-Access is monitored by IT through Profiler Reporting System. DAVID LAWRENCE CENTER
Accessing and Requesting Protected Health Information • Authorization to Release Information- must be completed and on file in order to disclose information. -Clinical Records Department process requests on paper or in electronic format -Fees ($1.00/page) (No charge for healthcare providers, Prison Health Services, Medical Examiner, and Department of Children and Families) -Required to respond within 7 business days -Who can complete the Authorization to Release Information? • Client • Biological Parent/Guardian • Proxy • Guardian Ad Litem-with appropriate court documentation. • Basic information is disclosed by signing the Authorization- if additional information is requested the client must initial the items and specify if “Other”. • Authorization is not required for treatment, payment and operations. DAVID LAWRENCE CENTER
Accessing and Requesting Protected Health Information • Access to information may be temporarily denied to the client. • Authorization from the treatment provider to release information to the client will be required in the instances identified below: • DCF Involvement for Abuse and Neglect • Baker Act admission for Suicide Attempts if requested within 30 days of discharge • Custody cases • Why is this required: If a client is requesting information that the provider feels could be harmful to that client we have the right to temporarily deny the request. • If denied the Health Information Record Denial Request must be sent to the client. DAVID LAWRENCE CENTER
DLC’S responsibility to protect clients rights are: • Control who can access information-”Do I need to know this to do my job?” • Acknowledge/Notify client’s of their rights HIPAA Acknowledgement Form-Client only needs to sign once, unless major changes are made to the document • Provide training to all staff • Sanction Policy • Policy and Procedures- Access on Center’s Intranet, Your program supervisor or office manager and Quality Assurance. • Documentation- Assure errors in the electronic clinical record are appropriately corrected using the void function. Assure entries in clinical records are not deleted. DAVID LAWRENCE CENTER
DLC’s HIPAA Compliance Officers • Privacy Officer – Sharie Boscaglia • Security Officer - Faron Richards • Facility Security - Gary Boivin DAVID LAWRENCE CENTER
Who Can see what ? • DLC is consider a “Covered Entity” which requires us to comply with HIPAA privacy and security regulations.(“covered entity” includes most providers, clearinghouses and health plans) • Any organization receiving PHI from DLC is mandated to have a Business Associate Agreement which requires them to comply with HIPAA regulations. (exceptions are those who routinely receive PHI as part of treatment, payment or operations; otherwise a specific authorization is required) • Only authorized personnel can see the physical chart or any electronic version or representation thereof. • Authorized Personnel are defined as those individuals directly involvedin treatment, billing, records or auditingof the information. These individual are allowed access and only then in directcorrelationwith their job responsibilities. • Clinical personnel not assigned to the treatment team are prohibited to review the chart – unless for peer review, auditing purposes or referral to program. • Administrative personnel should have limited access to the client’s record unless it directly relates to their job. (Medical Records, auditing, reporting, scheduling) DAVID LAWRENCE CENTER
SECURITY • Security • Security covers specifically electronic PHI (ePHI) which is being held, stored or transmitted. DAVID LAWRENCE CENTER
Security • The Security Rule requires us to establish Administrative,Physical and Technical safeguards, to control access to electronic protected health information in order to ensure: • Confidentiality – No accidental or intentional disclosure to unauthorized recipients. • Integrity – Data has not been altered or destroyed in an unauthorized manner. In no instance should information be deleted from a record. • Availability – Accessible and useable upon demand by an authorized entity. DAVID LAWRENCE CENTER
Security • Technology has allowed us to compile a large amount of protected data in our Information Systems. Loss of any of these systems and subsequently the loss of the data contained therein would have a devastating impact on the agency. • Technology Security –Passwords, encryption etc Keep your passwords secret – known only to you, Never share it with anyone. You are responsible for anything done on the system under your login ID. You are never permitted to share login and password information., this is considered a serious offense and corrective action may be taken.. Commit your password to memory and change it often If you forget your password or suspect it has been compromised in any way contact IT Helpdesk to have it reset for you. Select passwords not easily guessed. Always include at least one number and/or a special character such as $ # ! & Never leave your system while you are logged on – always use Ctrl-Alt-Del and lock computer. Do not write password down and leave it in a conspicuous place such as on your monitor or under the keyboard • Contingency/Disaster Plan • DLC has Security Procedures in place and can be located on the intranet. • Use common sense never leave PHI on Fax or Printer for others to see. Security is not just a computer issue. Faxing information to an incorrect fax number is considered a breach of confidentiality. The use of memory sticks and key fobs are against center policy. • Electronic access is managed by security level in Profiler which is based on provider type, tree view and treatment team participants DAVID LAWRENCE CENTER
Security • 3 ways to enter buildings, KEY, key fobs, Electronic key pad • Discard all documents with PHI in proper locked container or use crosscut shredder. • Loading of personal computer programs on DLC computer equipment is NOT permissible. • The integrity of data on any Information System is the responsibility of every employee. Each person should verify the data they enter into the system by spot checking or data sampling to ensure it is in the proper location and is correct. • Any PHI that is going to be sent via email outside the Center must be put into a MS-Office document and encrypted. Then send via email attachment. PHI should never be included in the in “subject” line or content of emailof the email. If you are required to email PHI as part of your job duties please contact IT to ensure you are following adequate password and policy procedures. DAVID LAWRENCE CENTER
Why Security is Important? • Public Trust • Morally and ethically the right thing to do. • Good business practice • Protection against liability claims and law suits • Avoids financial penalties and possible imprisonment DAVID LAWRENCE CENTER
REPORTING BREACHES • Employees are required to notify the Privacy or Security Officer when they breach a HIPAA standard or witness or discover any other individual breaching a standard. • We are required to follow our policy on violations and they must be enforced. • Effective November 30, 2009 HIPAA standards allow for penalties up to $250,000 per violation and up to 10 years imprisonment for breaches. • • Civil penalties of $25,000 for Failure to Comply • • Criminal penalties such as: • $50,000 fine and 1 year in prison for knowingly obtaining and wrongfully sharing information; • $100,000 fine and 5 years in prison for obtaining and disclosing through false pretenses; • $250,000 fine and 10 years in prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm. DAVID LAWRENCE CENTER
TRANSACTION CODE SETS • Transaction Code Sets- a set of codes standardized by HIPAA used for billing purposes. • Improved the efficiency and effectiveness of the health care system by leading to cost reductions and improvements in benefits from electronic health care transactions. • Has enhanced security of protected health information. DAVID LAWRENCE CENTER
WHY COMPLY? • It’s a Federal Law! There are Civil and Criminal Penalties. Enforced by the Office of Civil Rights • DLC requires it • It’s a good business practice DAVID LAWRENCE CENTER
PLEASE COMPLETE QUIZ THE END DAVID LAWRENCE CENTER