HIPAA

  Uncategorized

https://app.compassdb.io/db/training/course/1263/

Introduction to HIPAA

Learning Objective

  1. List the three aspects of HIPAA that are the responsibility of all staff members.
  2. Differentiate between identifiable and de-identified health data.
  3. Describe and demonstrate how to protect patient privacy when communicating patient information in person, by telephone, or via computer.
  4. List and demonstrate at least three key actions to ensure the security of all patient information.
  5. Identify real or potential information security breaches.
  6. Accurately describe the process for reporting a real or potential breach to your organization’s security officer.
  7. Understand the potential consequences of violating the federal HIPAA requirements.

 

Module 1: Introduction to HIPAA

  • What is HIPAA
    • Health Insurance Portability and Accountability Act
    • A U.S. Federal law intended to give consumers more rights and greater control over their healthcare information
    • Applies to any organization that creates, manages, stores or uses “protected health information”
      • Hospitals
      • Dentists
      • Chiropractors
      • Optometrists
      • LTC facilities
      • Outpatient facilities
      • Insurance companies
      • Ambulance companies
  • Why is it important
    • 2014 healthcare experienced more cyber-breaches than any other industry
      • Increasing valuable to hackers
    • Health insurance records include
      • Name
      • Contact Info
      • Employer
      • SSN
      • Payment Info
      • Name and Contact info for Family members
    • Hackers aren’t choosy.  Hospitals, Dr. Offices, PT clinics and LTC (Long Term Care) facilities all targeted
    • Patients and Families are better informed about privacy & security
      • 1/4 – 1/3 of HIPAA audits are triggered by a family member complaint.
    • Fines for a breach ($500K – $4.5M) can put an organization out of business!
    • Theft of a medical identity can destroy a patienct’s credit score and keep them from receiving needed medical care.
    • YOU can be held liable for civil and criminal charges (including jail time) for knowingly violating HIPAA rules.
  • What is Protected Health Information (PHI)
    • ANY information about a patient’s health status, provision of health care, or payment for health care that can be linked to a specific individual, whether in paper, oral or electronic form.
    • PHI Identifiers (18)
      • Name
      • SSN
      • Dates (Birthday, death, admission, discharge)
      • Phone and Fax numbers
      • Email Address, Web address (URL) or IP Address
      • Address and or ZIP Code
      • Medical record number
      • Health Plan beneficiary number (Medicare, Medicaid, BCBS)
      • Any account number (Library card!)
      • Certificate/License number
      • Vehicle Identifier
      • Device identifier or serial number (Glucometer, prostehetic device)
      • Biometric Identifier (finger or voice print)
      • Photographs or comparable images
      • Any unique identifying number or code
      • These apply even if the patient is deceased!!
    • De-identified data
      • “Health information that does not identify an individual” and for which “There is no reasonable basis to believe that the information can be used to identify an individual” (CFR 164.514(a))
      • This information may be used for research to benefit care quality and efficiency.
      • There are only 2 acceptible methods for ensuring data has been properly de-identified before being released
        • Expert Determination – application of statistical principles
        • Safe Harbor – systematic removal of all 18 identifiers
      • De-Identified data should only be released by qualified staff with special training.
  • Who must comply with HIPAA
    • in 2013 the Omnibus Rul update extended responsibility for safeguarding patient infor to all mebers of the workource including external service providers called “business associates” or contractors
    • Protecting information is EVERYONES responsibility
  • What are the HIPAA Requirements?
    • Privacy Rule
      • Limits how orgainizations and employees can use pateient information
    • Security rule
      • requirements for teh management of patent information in electronic form
    • Breach Notification rule
      • instructions for when and how to report the imprope4 use of patient information
  • Knowledge Check

Module 2: Privacy Rule

  • Goals
    • Increase patients’ control over their health information
    • Protect PHI while in use
    • Limit the allowable disclosure of PHI
  • Patients’ Rights
    • Are intended to give patients greater control over their health information
    • Right to receive a clearly written explanation of how their medical information will be used, kept and disclosed.
    • Request access to inspect and copy their health records (excluding psychotherapy notes)
    • Request corrections to their medical record.
    • Request a record of the disclosures of their PHI
    • Restrict the use and disclosure of their PHI (including withholding information from a health plan for any care paid for out-of-pocket)
    • Patients have a right to control how their information is used!
  • Privacy: Protecting PHI in Use
    • Talking to patients
    • Delivering care
    • Talking with co-workers
    • Charting and documenting care
      • Keep paper records secured in a locked room or drawer except when in use
      • Close folders or turn documents print side down with approached by another patient or visitor not authorized to view the record.
      • Never leave documents containing PHI unattended.
      • Only access those records necessary to fulfill assigned care responsibilities.
      • Shred discarded documents that contain PHI
        • These should never be discarded into regular trash!
    • Talking on the phone.
      • Make and receive calls from a private location
      • speak in a low voice
      • verify the caller’s identity before disclosing any information
        • should have a local policy for this
      • Disclose the minimum necessary information to accomplish the purpose of the call.
    • Face to Face communications
      • Other members of the team
      • Patients
      • Move to a quiet place
      • Speak in a low voice
      • Limit the information exchanged verbally to non-PHI
      • Use a paper document or computer screen and point to the data
    • Ensure that PHI is only disclosed to authorized individuals
  • How to properly disclose Patient Information
    • Required: Provider organization must disclose PHI.  No patient consent required.
      • Situations in which provider organization must disclose PHI
      • Government agency conducting investigation
      • Patient or legal representative requests medical record and/or list of disclosures.
    • Permitted: Provider organization may disclose certain PHI without patient consent
      • Treatment, Payment and Operations (TPO)
      • Public Health – Often sanctioned by the state/CVC for specific diseases.
      • Research – De-identified data
      • When in doubt, consult your organization’s policies and procedures.
    • Authorized: All other uses or disclosures of PHI require written consent from patient or agent.
      • If a disclosure is not Required or Permitted  (see above) it requires authorization by the patient or legal representative documented in the medical record.
        • Responsible Party (RP) or Personal Representative (PR)
          • A surrogate decision maker designated in writing by the patient.
        • Medical Power of Attorney (MPOA)
          • Person authorized to make medical decisions for the patient.
          • Requires a signed MPOA agreement.
        • Financial Power of Attorney (FPOA)
          • Person authorized to make financial decisions for the patient.
          • Requires a signed FPOA agreement.
      • Authorization must be in writing and in the patient record.
    • Incidental Disclosures: Limited and unintentional disclosures that occur in the process of performing permitted disclosure activities.
      • Patient name on waiting room sign-in sheet seen by another patient.
      • Nursing station conversation overheard by passers-by
      • Conversation overheard in a semi-private room
      • Incidental disclosures are NOT HIPAA violations!
        • as long as everything else was followed carefully.

Module 3: Security Rule

  • What is ePHI?
    • EHR Files
    • digital X-Rays
    • Electronic Documents such as referral letters or reports
    • Electronic Claims Information
    • Electronic Test Results
    • ePHI is Protected Health Information in electronic form.
  • Goals
    • The provisions of the Security rule are intended to protect ePHI specifically.
    • Protect the confidentiality of ePHI – PHI that is created, stored or transmitted in electronic form
    • Ensure the integrity of ePHI – that is, making sure that ePHI is not corrupted or modified by unauthorized users
    • ensure ready availability of ePHI to members of the care team
    • All for the use of information technology to improve the quality and efficiency of patient care
    • Protect against reasonably anticipated hazards that could threaten the confidentiality, integrity or availabilityy of ePHI
    • These are intended to strike a balance between Privacy and Security with the Health Team’s members to have access to needed information.
  • Protecting ePHI in use
    • Checking patient census or schedule
    • Administering medications
    • Charting
    • Contacting physician, manager or team leader via Text.
    • Charging for supplies
    • EVERY use of ePHI requires attention to security
  • Creating and Maintaining Passwords
    • Kd469%8540!h
      • 12 chars long
      • Upper and Lower case
      • Numbers
      • Special characters
      • If not possible to use 12 chars, it must satisfy all the other criteria
    • Protect it by memorizing it!
      • No Sticky Notes!
      • Password Vault such as LastPass
    • Change periodically
      • Quarterly recommended
    • Don’t share your password with anyone!!!
    • Password maintenance is an important security responsibility
  • Using ePHI Responsibly
    • Only access the records necessary to complete your assigned care responsibilities
      • Minimize your access to only what you need
    • Ensure the computer monitor is positioned so it cannot be easily viewed by visitors or other patients.
    • Log out of the EHR when not using it ot access or document patient information
    • Lock screen when approached by anyone not authorized to view a record.
    • Log out of the workstation before stepping away.
      • Anyone using the workstation after you must enter a username and password.
    • Protect ePHI when you’re using it.  Lock It when you’re done!
  • Communicating via Email and Text
    • Only use secure email or text software provided by your organization
    • Do Not use a personal device (phone or computer) Unless organization-supplied security software has been installed
    • Do NOT use commercial applications, such as Gmail, Yahoo, AOL, or the text app preinstalled on your phone.
    • Only send the minimum necessary information to allow the receiver to perform their task.
  • Protecting against hacking
    • Do Not use work computers for personal business
    • Do report symptoms of a computer virus immediately
    • Do NOT deactivate anti-virus software or firewall applications
    • Hacking is a real – and serious – threat!
  • Don’t get caught “Phishing”
    • Phishing is a hacking technique that uses phony emails to trick users into
      • Revealing sensitive account information (e.g. account password)
      • Installing malicious software (malware)
    • Example:
      • “We suspect an unauthrorized transaction on your account.  to be sure your account has bot been compromised, click the link below to confirm your identity.”
    • Malware cans steal more than YOUR account information – it can steal patient and organization information too!
  • Identifying Phishing Emails
    • Looks like authentic email, colors, logos, etc, but has urgent financial focus
      • Short-term saving event – hurry, ending soon!
    • Email address is bizarre, or almost correct
      • contact@yggdiotot.net
      • contact@aamazon.com
    • Impersonal greeting
      • Dear client,
      • Dear valued customer
    • Phony hyperlink
      • mouse over the link to see where it takes you.  Study the URL closely!
    • Poor Grammar
    • No signature block
    • Look closely – even when the source looks legitimate!
    • If it looks suspicious, it is!
  • Phishing – don’t take the bait!
    • DO NOT open email from unknown sources
    • DO NOT click hyperlinks
    • Delete suspicious email immediately
    • Think before you click!
  • Additional Phishing Precautions
    • Don’t open attachments you are not expecting
    • do Not Call a number provided in an email.
      • If you believe the contact could be legit, call the business directly using a number provided on the account statement or the official company website
    • If completing a work task requires online communication with an outside provider or facility, Use Secure Email Only!
    • Do not install or use any software not approved by your organization
    • If you accidentally click on a phishing link or open a bad attachment, CALL IT Immediately!
  • Violation consequences
    • Violating HIPAA security requirements carries heavy penalties
      • Termination of employment
      • Possible civil (fines) and criminal (jail) charges

Module 4: Breach Notification rule

  • A “Breach” is an improper disclosure of health information that compromises the security and privacy of PHI.
    • A staff member sends information to an unapproved family member.
    • An unauthorized person obtains access to paper or electronic records.
    • Documents containing PHI or devices containing unencrypted ePHI are lost or stolen.
    • Documents or devices containing unencrypted PHI are disposed of improperly.
    • Any unauthorized access to PHI constitutes a breach!
  • Breach Notification
    • If you know – or even suspect – that a breach has occurred, you must take action:
    • 3 Step process
      • Notify your supervisor
      • Notify the Chief Compliance Officer – Must Do Step!
        • This person may also be known as the Chief Security Officer
        • If you identify the breach, it is YOUR responsibility to ensure this person has been notified!
      • Complete the Breach Notification Report form.
    • If you identify the breach, it is YOUR responsibility to ensure these steps have been completed!

Module 5: Staff Responsibilities Checklist.

  • Create a secure password, 12 characters long, with Upper & Lower characters, Numbers and Special characters.
  • Change your passwords at least quarterly
  • Only access the PHI you need to care for your assigned patients.
  • Do not disclose PHI to anyone outside of the care team without the written or verbal consent of the patient.  Document consent and disclosure in the patient record.
  • Guard all information from being accessed inappropriately:
    • Securely store paper records when not in use.
    • Turn papers upside down when approached by an unauthorized person.
    • Lock the computer when not in use.
    • Secure portable devices with a lcocked cable or by placing them in a locked room or drawer.
    • Only use mobile devices authorized by your organization
    • Only use software authorized by your organization
  • Know how to report a breach.
    • Notify your supervisor
    • Notify your Chief Compliance Officer (or Chief Security Officer)
    • Complete the Breach Notification Report form.
  • Additional recommended actions:
    • Know the name and contact information for your Chief Compliance Officer.
    • Read your organization’s HIPAA policies and procedures.
    • Know how to quickly locate a copy of the policies & procedures in case you are confronted with an unfamiliar situation.

 

LEAVE A COMMENT