combined staff wuh what is hipaa? (the health insurance portability and accountability act of 1996)
TRANSCRIPT
Combined Staff
WUH
WHAT IS HIPAA?(The Health Insurance Portability and
Accountability Act of 1996)
2Combined Staff
WUH HIPAA
• Is a Federal Law;
• Creates uniform standards for certain payment-related transactions (e.g., claims submissions and eligibility verification; and
• Creates minimum standards for the privacy and security of patient information.
3Combined Staff
WUH TRAINING REQUIREMENT
Compliance with the HIPAA regulations is the responsibility of the entire staff. This includes employees, medical staff, volunteers, residents, and students;
• Everyone must take steps to protect the confidentiality and privacy of patient information, and
• Everyone is required to receive HIPAA training.
At the end of this presentation, you will be asked to sign a certification which says you have received this training and agree to abide by the Hospital’s HIPAA policies.
4Combined Staff
WUH
HIPAA PRIVACY BASICS
GENERAL PRIVACY RULE
You may not USE or DISCLOSE Protected Health Information (“PHI”) except as permitted by the privacy regulations.
Combined Staff
WUH
WHAT IS PROTECTED HEALTH INFORMATION OR “PHI?”
PHI is any information relating to a person’s health status, treatment or payment for health services which is created or received by the Hospital and which may identify the individual.
Includes: Oral, written and electronic records and communications.
6Combined Staff
WUH QUESTION
Which of the following is PHI?
• A patient’s address
• A patient’s Medicaid number
• A patient’s date of birth
• All of the above
• A patient’s name
7Combined Staff
WUH
Answer:
Each of those items is considered PHI, or Protected Health Information.
8Combined Staff
WUH
EXAMPLES OF WHERE YOU MIGHT ENCOUNTER PHI:
• A sign-in sheet that includes the patient’s name and reason for her visit
• A code that documents a specific health procedure or test• A patient identification bracelet or band, or an insurance
card• A conversation about a patient’s health over lunch with a
colleague• An appointment reminder message left on an answering
machine
9Combined Staff
WUH
MORE EXAMPLES OF PHI:
• Physician dictation that is yet to be transcribed
• Patient status boards
• A telephone call to verify health insurance coverage
• The OR schedule
PAY CLOSE ATTENTION TO AREAS WHICH LEND THEMSELVES TO PRIVACY VIOLATIONS – DO A WALK-THROUGH OF YOUR FLOOR/DEPARTMENT
10Combined Staff
WUH PRIVACY NOTICE
• Prior to providing services (except in an emergency or if the patient lacks capacity), the Hospital must provide each patient with a privacy notice and make a good faith effort to obtain a written acknowledgment from the patient that he/she has received the Hospital’s privacy notice.
• If the Hospital is unable to obtain the acknowledgment, it must document the attempt that was made, and the reasons why such attempt was not successful.
• The acknowledgement should be kept for at least six years.
11Combined Staff
WUH PRIVACY NOTICE
The Hospital’s privacy notice describes:
• How the Hospital uses and discloses PHI
• The patients’ rights concerning their PHI
• How the patient can make complaints (both to the Hospital and to the Office of Civil Rights) concerning privacy or security issues
• The Hospital’s notice is a “joint notice,” and it covers the Hospital and its medical staff with regard to services rendered at the Hospital
12Combined Staff
WUH
PERMITTED DISCLOSURESFOR THE HOSPITAL’S USE
The Hospital may use and disclose PHI without obtaining a HIPAA-compliant authorization form for the Hospital’s Treatment, Payment and Health Care Operations purposes.
Note: You must still comply with other more stringent laws (e.g., NYS law, HIV law, mental health law, and drug and alcohol laws).
Combined Staff
WUH
The provision, coordination and/or management of health care and related services including consultations and referrals.
Examples: • If a patient receives care at a Hospital, the Hospital
may send the patient’s blood to a reference laboratory for analysis.
• One physician may consult with another physician concerning the care of a particular patient.
• Hospital discharge personnel may provide information to nursing homes/home health agencies who may subsequently treat the patient.
TREATMENT
13
14Combined Staff
WUH
The activities undertaken by a provider to obtain reimbursement for services provided.
Examples:
• The Admitting Office is permitted to contact an insurance company to determine if a patient has insurance coverage.
• The Billing Department is permitted to send a bill to the patient or the patient’s third party payor.
PAYMENT
15Combined Staff
WUH
The Hospital’s routine activities such as quality assurance, case management, credentialing, accreditation, education of staff, business planning and customer service. Examples: • Presenting case studies at a performance improvement
meeting• Sending incident reports to malpractice carriers • Training of staff, residents and interns• Participating in JCAHO accreditation
HEALTH CAREOPERATIONS
16Combined Staff
WUH
PERMITTED DISCLOSURESFOR THE USE OF OTHERS
In addition, the Hospital may disclose PHI without an authorization:
• For other providers’ Treatment, Payment purposes and certain Healthcare Operations;
• To DHHS;• To a patient’s family and personal representatives;• In a facility directory; and• In all other situations authorized by HIPAA.
17Combined Staff
WUH AUTHORIZATIONS• If the Hospital wants to use PHI for purposes other
than treatment, payment or health care operations it must obtain a HIPAA-compliant authorization form.
• The authorization form must be signed by the patient or his/her legal representative
• The authorization form must be detailed and specific to the use or disclosure.
Examples• Research• Marketing• Photographing patients (for other than treatment purposes)
18Combined Staff
WUH
QUESTION
a) Doctors reviewing the treatment plan for elective surgery
b) Billing for elective surgery
c) Sending laboratory results to an outside lab
d) Discussing the patient’s care at a quality assurance meeting
e) All of the above
A patient comes to a hospital. Which of the following can be performed without written authorization from the patient or his/her legal representative?
19Combined Staff
WUH
Answer:
Each of those actions can be performed without written authorization from the patient or his/her legal representative.
Combined Staff
WUH
MINIMUM NECESSARY RULE
You must limit the PHI which you use, disclose or request to the minimum necessary to accomplish your job responsibilities.
20
Combined Staff
WUH
MINIMUM NECESSARY RULEEXAMPLES
Example 1: When PHI is disclosed in response to a request from a health plan, only the information requested should be sent rather than the entire medical record.
Example 2: When PHI is used by health care provider, such as a Physical Therapist to treat a patient, the therapist limits their use of the medical record to those portions that are essential to the treatment of the patient.
21
Combined Staff
WUH
MINIMUM NECESSARY RULE: EXCEPTIONS
The minimum necessary rule does not apply when PHI is disclosed to or requested by the patient himself, or by a provider in order to treat an individual.
22
Combined Staff
WUH
MINIMUM NECESSARY RULE (Cont’d)
If you regularly receive reports containing PHI which you do not need to receive or if you
have greater access to PHI than you need to perform your job, please contact
your Department Manager or
Terry Lillis, our Privacy Officer.
23
24Combined Staff
WUH INDIRECT PROVIDERS
• Deliver care based upon the orders of another health care provider;
• Transmit the results of these services directly to the provider who ordered the service (not to the patient);
• Are not required to obtain a privacy notice acknowledgment prior to providing services; and
• Are not Business Associates.
EXAMPLES: Laboratories, pathologists, radiologists
25Combined Staff
WUH
HIPAA HOT SPOT HIPAA AND OTHER LAWS
• As the Hospital implements HIPAA, it must continue to follow current Hospital policy (which may be based upon other Federal and State law) unless the policy directly conflicts with HIPAA.
• If HIPAA and State law address the same topic, HIPAA applies, unless the State law offers the patient greater rights.
26Combined Staff
WUH HIPAA HOT SPOT HIPAA AND OTHER LAWS
EXAMPLES:
• The Hospital must still follow New York State law relating to patient authorization for release of HIV records, even though these rules may be more strict than HIPAA.
• Although HIPAA does not require a HIPAA specific consent for permitted disclosures of PHI, the Hospital is still required to obtain other types of consents for health care purposes if required by law or Hospital policy (i.e., informed consents and consents for treatment).
Combined Staff
WUH PRIVACY OFFICER
Terry Lillis, at 663-2003,is the hospital’s Privacy Officer and is responsible for ensuring compliance with the HIPAA Privacy Standards. If you have any questions or are aware of any HIPAA violations, contact her immediately.
Nick Casabona at 663-2370, as the Hospital's HIPAA Security Officer, is responsible for overseeing the technical aspects of the security of the electronic information.
27
28Combined Staff
WUH
COMPLAINTS
Jean Zebroski, Director of Patient Relations at 663-2058 is responsible for responding to complaints regarding HIPAA violations.
Please refer any complaint relating to HIPAA directly to Jean.
Combined Staff
WUH HIPAA HOT SPOTPATIENT DIRECTORY
INFORMATION
HIPAA allows Hospitals to provide directory information to the public, but patients may request to opt out of being included in such directory. If they opt out, our Secured Patient Policy will be used to safeguard all of their information.
29
30Combined Staff
WUH PATIENT RIGHTS
Under HIPAA, patients have the following rights:• To request that the Hospital limit its use and
disclosure of their PHI;• To receive communications by alternative means
(e.g., e-mail or fax) or to alternative locations (the Hospital must accommodate all “reasonable” requests);
• To access their PHI;• To request amendments to their PHI, and• To receive an accounting of certain disclosures of
their PHI.
31Combined Staff
WUH IMPLEMENTING PATIENTS’ RIGHTS
Example: A patient requests that PHI not be disclosed to any person other than his son.
• The Hospital is not required to agree to such a request, but if it does, it must modify the uses and disclosures it and its staff typically make.
32Combined Staff
WUHACCOUNTINGS
• HIPAA requires the Hospital to provide patients, upon request, with an accounting of certain disclosures of their PHI.
• The following disclosures do not need to be included on the accounting if performed in accordance with the HIPAA regulations:
– Disclosures of PHI that were made for purposes of Treatment, Payment or Health Care Operations.
– Disclosures to the patient requesting the accounting;
– Disclosures that are incidental to a permitted or required use of PHI;
Combined Staff
WUH
• Disclosures pursuant to a valid HIPAA authorization;
• Disclosures to the Hospital’s patient directory;
• Disclosures to persons involved in the patient’s care and notices to family members or friends regarding the patient’s location, general condition and/or death;
• Disclosures for national security or intelligence purposes;
• Disclosures to correctional institutions or law enforcement officials, if involving criminal conduct that occurred on the Hospital’s premises;
• Disclosures of a limited data set; and
• Disclosures made prior to April 14, 2003.
ACCOUNTINGS (Cont’d)
33
Combined Staff
WUH ACCOUNTINGS (Cont’d)
The following are examples of disclosures that are required to be included in an accounting:
• Disclosures in response to a subpoena, without a HIPAA authorization;
• Infection control disclosures; and
• Disclosures to regulatory agencies such as the department of health.
34
35Combined Staff
WUHDISCUSSIONS WITH PATIENT’S FAMILY
AND FRIENDS
In general, the Hospital may disclose to a family member, relative, or close personal friend of the patient, or any other person designated by the patient, patient information directly relevant to the person’s involvement with or payment for the person’s care (except HIV-related information, alcohol and/or substance abuse or mental health treatment).
36Combined Staff
WUHDISCUSSIONS WITH
PATIENT’S FAMILY AND FRIENDS (Cont’d)
• If the patient is present, PHI may be disclosed with patient’s agreement. If the patient is given the opportunity to object and does not object or if the Hospital reasonably infers from the circumstances that the patient does not object to the disclosure, then Hospital may disclose the information to the family member or friend.
• If the patient is not present, or the opportunity to agree or object cannot practically be provided (incapacity or emergency), the Hospital may determine disclosure is in the patient’s best interest.
• Disclose only the information directly relevant to the person’s involvement with the patient’s health care.
37Combined Staff
WUH
HIPAA HOT SPOTTHE MEDIA
Unless a patient requests otherwise, if a caller asks for information on a particular patient, HIPAA permits the Hospital to release one-word condition information and location information without obtaining prior authorization.
At Winthrop, ALL communication with the Media are to be directed to the Vice President of External Affairs.
REMEMBER: Other laws may be more stringent (e.g., laws regarding HIV, mental hygiene, and substance abuse).
38Combined Staff
WUH
THE MEDIA (Cont’d)
• The media should not contact patients directly – they should request an interview through the External Affairs Department at ext. 663-2706. During off-hours, the operator will contact the Vice President of External Affairs for you.
• The Hospital may deny the media access to the patient if it would aggravate the patient’s condition or interfere with patient care.
39Combined Staff
WUH FINAL MEDIA TIPS
The following activities require written authorization from the patient:
• Drafting a detailed statement (i.e., anything beyond one-word condition) for approval by the patient’s legal representative
• Taking photographs of patients
• Interviewing patients
In general, if the patient is a minor, permission for any of these activities must be obtained from a parent or legally authorized representative.
40Combined Staff
WUH
HIPAA HOT SPOTFAXING
If you are faxing documents that contain PHI be sure to take the following steps:
• Include a fax cover sheet with the approved HIPAA confidentiality statement on it.
• Perform random audits of sent faxes to ensure receipt by the correct party.
• Pre-program fax numbers.
• Routinely update fax number listings.
• Maintain the fax machine in a secure location.
Combined Staff
WUH
HIPAA HOT SPOTPUBLIC CONVERSATIONS
• Avoid holding conversations about PHI in public areas such as lobbies, elevators, cafeterias and hallways. If you must do so, keep your voice low and be aware of people who may overhear your conversation.
• Note: Conversations between providers, and between providers and patients, are permissible, even if incidentally overheard, as long as reasonable precautions were taken.
42Combined Staff
WUH HIPAA HOT SPOTSREASONABLE SAFEGUARDS
Do not leave PHI in public view (e.g., lying around on desks or nurses stations or unattended on a fax machine), and take care when disposing of PHI (e.g., shred paper when feasible or place paper in locked confidential waste baskets).
Never place PHI in an unsecured waste basket, including the BLUE recycling bin.
43Combined Staff
WUH MARKETING/FUNDRAISING
HIPAA allows the Hospital to use PHI for certain limited marketing and fundraising, provided that
specific requirements are met. If you wish to use PHI for marketing or fundraising contact
John Broder,Vice President of External Affairs
at 663-2706 for guidance.
44Combined Staff
WUH RESEARCH
There are several rules related to the use or disclosure of PHI for research purposes. These rules include:
• Creation of a Privacy Review Board (which can be the current IRB) to review all use or disclosure of PHI for research purposes
• Use of HIPAA authorizations
• Use of Limited Data Set/Data Use Agreements
• De-identification of PHI
If you participate in research activities, contact the Director of IRB, at 663-2552 for a detailed
description of HIPAA research requirements.
45Combined Staff
WUH REMEMBER:
When you:
• Limit your own use and disclosure of or requests for information to the minimum necessary to perform the assigned task and
• Verify that information is being properly provided to an authorized person,
You will:
• Avoid the harmful effects of HIPAA violations.
46Combined Staff
WUH
HIPAA SECURITY BASICS
Security of PHI must be an ongoing and comprehensive process, not an event.
47Combined Staff
WUH
SECURITY RISKS
1. Human error
2. Nature (fire, earthquake, flood)
3. Technology failures
4. Deliberate security breaches (internal and external threats)
48Combined Staff
WUH
MANAGE YOUR PASSWORD
• Use letters and numbers to create passwords (e.g., axw49).
• Avoid common selections (e.g., your name, pet’s name, child’s name, etc.).
• Do not post your password on your computer or near your work area.
• Do not share passwords. If you forget you password, call the HELP Desk (663-4357).
49Combined Staff
WUH
PROTECT YOUR WORK AREA
• Avoid having PHI in public view.
• Do not leave unattended PHI on your computer screen or work station.
• Sign off when you are finished using a computer.
• Turn computer screen away from public view.
50Combined Staff
WUHBEWARE OF VIRUSES AND OTHER HARMFUL
SOFTWARE
• Do not load information from outside on your computer without authorization
• Do not download information from the Internet without the express authorization of your Department Manager
• Do not open e-mails from unknown sendersThe Hospital will send you routine alerts when threats of new viruses become known.
Viruses and other malicious software are a serious threat to the Hospital. To protect against them:
Combined Staff
WUH
FOLLOW HOSPITAL POLICY REGARDING REMOVAL AND
INSTALLATION OF HARDWARE AND SOFTWARE
You may not install new hardware/software on the Hospital systems or remove hardware/software from the Hospital premises unless expressly authorized to do so by the Director of MIS or his designee.
51
52Combined Staff
WUH
REPORT INCIDENTS
It is your responsibility to report:
• Unauthorized successful or unsuccessful log-in to the system
• Any breaches in the security of PHI of which you become aware
• Sharing of passwords
Incidents can be reported to Nick Casabona, our Security Officer at 663- 2370.
53Combined Staff
WUH
QUESTION
Are any of the following HIPAA violations?
1. A social worker posts her password on the side of her computer.
2. Jane has a friend who forgot her password and wants Jane to “lend” her Jane’s password.
3. A physician is sitting at a computer terminal and reviewing a patient’s information. The physician then gets an emergency call to assist with a patient. The physician leaves the computer terminal on showing the information.
54Combined Staff
WUH
Answer:
Answer: Each of those actions would be a violation of HIPAA.
Combined Staff
WUH
AUDIT TRAILS
The Hospital is required to maintain records and review its employees’ use and access to information on the Hospital computer network.
55
56Combined Staff
WUHOTHER SUGGESTED
SECURITY PRACTICES
• ALWAYS wear your name tag.
• Ensure that all vendors are properly supervised and log in and out of the Hospital.
• Shred or discard PHI in secure trash bins.
Combined Staff
WUH
HIPAA HOT SPOTE-MAIL
Communications sent over an open network (which includes e-mail over the internet) must have certain safeguards, which might include encryption. Review the Hospital’s security policies to determine the steps that must be taken in relation to e-mail and the Hospital's policy on sending/receiving PHI by e-mail.
58Combined Staff
WUH SUMMARY
• Do not discuss patient information at home or at social gatherings.
Protection of PHI is everyone’s responsibility. Here is a summary of a few topics that were discussed in this presentation:
• Do not discuss patient information in public areas of the Hospital (e.g., cafeteria, lobby).
• Do not share your password.
• Do not leave PHI lying around unattended.
• Do not send PHI over the internet unless authorized to do so.
• Do inform the Privacy or Security Officer about any concerns you may have about release of PHI.
59Combined Staff
WUHELECTRONIC
TRANSACTION STANDARDS GENERAL RULE
If a provider (either itself or through an agent, (e.g., billing company)), conducts a payment-related transaction electronically, the transaction must be conducted using the HIPAA format.
Note: If a payor still accepts covered transactions in paper format (e.g., paper claims), then such paper transactions do not necessarily have to conform to the new HIPAA formats.
Those involved in Electronic Transaction Standards will be contacted directly and trained as appropriate.
60Combined Staff
WUH WHAT DOES IT MEAN TO STANDARDIZE A TRANSACTION?
• Standardized Formats
• Standard Data Content: A new Federal definition of “clean claim.”
• Standard Codes: ICD-9-CM, CPT-4, HCPCS, CDT-3, and HCPCS “J” codes.
61Combined Staff
WUH HOW DOES HIPAA AFFECT YOUR RELATIONSHIP WITH THE HOSPITAL
If you are an employee, student or volunteer :• You are part of the Hospital’s workforce
• You must comply with the Hospital’s HIPAA compliance program
• Failure to comply will result in disciplinary action
• Failure to comply could trigger individual liability with penalties
Combined Staff
WUH INTERNAL SANCTIONS
• The Hospital is required to have policies regarding the disciplinary actions which may be taken if an employee fails to comply with these HIPAA policies.
• An employee who violates the Hospital’s HIPAA policies may be subject to various sanctions including written censure, suspension or termination.
• Medical Staff Members who violate these HIPAA policies may be subject to disciplinary action under the Medical Staff By Laws.
Combined Staff
WUH
FEDERAL SANCTIONS
Under HIPAA, violations may result in the Hospital and the employee being subject to civil monetary penalties and criminal actions, depending on the nature and extent of the HIPAA violation.
64Combined Staff
WUH
CIVIL FINES
Civil Fines of no more than $100 per violation with a maximum of $25,000 in each calendar year for violations of an identical requirement.
Enforcer: Office of Civil Rights
65Combined Staff
WUHCRIMINAL PENALTIES FOR
“KNOWING MISUSE” OF PHI: - THREE DEGREES
• Simple violations – up to $50,000 plus up to 1 year in prison.
• Violation committed under false pretenses – up to $100,000 plus up to 5 years in prison.
• Violation committed for gain or harm – up to $250,000 plus up to 10 years in prison.
Enforcer: OIG/Department of Justice
66Combined Staff
WUH
DISCUSSION/QUESTIONS
67Combined Staff
WUH
REVIEW CODE OF CONDUCT AND SIGN
YOUR TRAINING ACKNOWLEDGEMENT
FORM!