overview of the hipaa privacy rule and policies presented by: barbara lee peace facility privacy...
TRANSCRIPT
OVERVIEW OF THEOVERVIEW OF THE HIPAA PRIVACY RULEHIPAA PRIVACY RULE
andandPOLICIESPOLICIES
Presented by:Presented by:
Barbara Lee PeaceBarbara Lee Peace
Facility Privacy OfficialFacility Privacy Official
Coliseum Medical CentersColiseum Medical Centers
COMPLIANCE DEADLINECOMPLIANCE DEADLINE
HIPAA Privacy RuleHIPAA Privacy Rule
April 14, 2003April 14, 2003
What is HIPAA?What is HIPAA? HIPAA is the acronym for the Health HIPAA is the acronym for the Health
Insurance Portability and Insurance Portability and Accountability Act of 1996.Accountability Act of 1996.
It’s a Federal lawIt’s a Federal law
Provides continuity of healthcare Provides continuity of healthcare coveragecoverage
Administrative Simplification Administrative Simplification ??????
Recognized need to improve Recognized need to improve protection of health privacyprotection of health privacy
Response by Congress for Response by Congress for healthcare reformhealthcare reform
Affects all healthcare industryAffects all healthcare industry
HIPAA is mandatory, penalties for HIPAA is mandatory, penalties for failure to complyfailure to comply
Transactions
•Requires standardized transaction content, formats, diagnostic & procedure codes, national
identifiers for healthcare EDI transactions.
Privacy
•Establishes conditions that govern the use and disclosure of individually identifiable health
information.
•Establishes patient rights in regard to their protected health information (PHI).
Security
•Establishes requirements for protecting the confidentiality, availability and integrity of individually identifiable health information.
Civil
For failure to comply with transaction standards
$100 fine per occurrence; up to $25,000 per year
Criminal
For health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses
Penalties higher for actions designed to generate monetary gain
up to $50,000 and one year in prison for obtaining or disclosing protected health information
up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"
up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
Why do we need HIPAA?Why do we need HIPAA? 1996 - In Tampa, a public health worker sent to 1996 - In Tampa, a public health worker sent to
two newspapers a computer disk containing the two newspapers a computer disk containing the names of 4,000 people who tested positive for names of 4,000 people who tested positive for HIV.HIV.
2000 - Darryl Strawberry’s medical records 2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were from a visit to a New York hospital were reviewed 365 times. An audit determined less reviewed 365 times. An audit determined less than 3% of those reviewing his records had even than 3% of those reviewing his records had even a remote connection to his care.a remote connection to his care.
2001 – An e-mail was sent out to a Prozac 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the informational listserv members revealing the identities of other Prozac users.identities of other Prozac users.
Closer to HomeCloser to Home
Title II - Administrative Title II - Administrative Simplification Simplification Federal Law vs. State Laws Protect health insurance coverage, improve access
to healthcare Reduce fraud and abuse Establish new pt rights and privacy control by
establishing common transaction sets for sending and securing pt information
Improve efficiency and effectiveness of healthcare Reduce healthcare administrative costs (electronic
transactions) ???
Who must comply?Who must comply? HIPAA applies to all Covered Entities HIPAA applies to all Covered Entities
(CE) that transmit protected health (CE) that transmit protected health information electronically such as..information electronically such as..
Health PlanHealth Plan
Health Care ClearinghouseHealth Care Clearinghouse
Health Care ProviderHealth Care Provider
Unlike Y2K, HIPAA compliance does not end.
Confidentiality
The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.
Practicing PrivacyPracticing Privacy Treat all information as if it were Treat all information as if it were
about you or your family.about you or your family. Access only those systems you are Access only those systems you are
officially authorized to access.officially authorized to access. Use only your own User ID and Use only your own User ID and
Password to access systems.Password to access systems. Access only the information you need Access only the information you need
to do your job.to do your job.
Practicing PrivacyPracticing Privacy Refrain from discussing Refrain from discussing
patient information in patient information in public places.public places.
Create a “hard to guess” Create a “hard to guess” password and never share password and never share it.it.
Log-off or lock your Log-off or lock your computer workstation computer workstation when you leave it.when you leave it.
HIPAA MYTHS
WHITE BOARDS SIGN IN SHEETS PAGING CALLING OUT
NAMES NAMES ON DOORS STRUCTURES TO
PREVENT DISCLOSURES
Oral Communications
The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others:
Staff may oral communicate at the nursing stationsHealth care professionals may discuss a pt’s
treatment in a joint treatment areaHealth care professionals may discuss a pt’s
condition during patient rounds
Common Common Terminology/AbbreviationsTerminology/Abbreviations (not all inclusive)(not all inclusive)
Affiliated Covered Entity (ACE) – Entities Affiliated Covered Entity (ACE) – Entities under common ownership or control may under common ownership or control may designate themselves as an ACE. Uses and designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent disclosures of PHI are permitted w/out consent or authorization under TPO.or authorization under TPO.
Treatment, Payment or Healthcare Operations Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes (TPO) – business practices hospital undergoes for daily functions and srvcsfor daily functions and srvcs
Terminology, Con’tTerminology, Con’t
Covered Entity (CE) – A health plan, Covered Entity (CE) – A health plan, healthcare clearing house, healthcare healthcare clearing house, healthcare provider who transmits any health provider who transmits any health information in connection to a information in connection to a transaction.transaction.
Designated Record Set (DRS) – Includes Designated Record Set (DRS) – Includes medical record and billing information, medical record and billing information, in whole or in part, by or for the covered in whole or in part, by or for the covered entity to make decisions about patientsentity to make decisions about patients
Terminology, Con’t.Terminology, Con’t.
Business Associate (BA) – Person, Business Associate (BA) – Person, business or other entity who, on behalf of business or other entity who, on behalf of organization covered by regulations, organization covered by regulations, performs or assists in performing performs or assists in performing function/activity involving use or function/activity involving use or disclosure of PHI.disclosure of PHI.
Patient Health Information (PHI) – any Patient Health Information (PHI) – any identifying piece of info on pt – identifying piece of info on pt –
Terminology - Terminology - What is PHI?What is PHI? Protected Health Information (PHI) is the medical record Protected Health Information (PHI) is the medical record
and any other individually identifiable health information and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). care operations (TPO). (Secure Bins)(Secure Bins)
NameName AddressAddress Photo imagesPhoto images Any dateAny date Telephone/Fax Telephone/Fax
numbersnumbers Social Security NumberSocial Security Number
Medical record numberMedical record number Health plan beneficiary Health plan beneficiary
numbernumber Account numberAccount number Any other unique Any other unique
identifying number, identifying number, characteristic, or code.characteristic, or code.
Terminology, con’tTerminology, con’t
Organized Health Care Arrangement Organized Health Care Arrangement (OHCA) – A clinically integrated care (OHCA) – A clinically integrated care setting in which individuals typically setting in which individuals typically receive health care from more than one receive health care from more than one provider, e.g., medical staff, radiologist provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, phys group, ER phys group, volunteers, clergy, etc.clergy, etc.
Terminology, Con’tTerminology, Con’t
Notice of Privacy Practices Notice of Privacy Practices (NOPP)(NOPP)
Disclosure of how PHI is usedDisclosure of how PHI is used Directory policyDirectory policy Confidential CommunicationsConfidential Communications Right to AccessRight to Access Right to AmendRight to Amend Accounting for DisclosuresAccounting for Disclosures Right to request restrictions on certain uses Right to request restrictions on certain uses
and disclosuresand disclosures FPO contact informationFPO contact information Formal complaint processFormal complaint process
When can we use PHI?When can we use PHI? We can use PHI for Treatment, We can use PHI for Treatment,
Payment and Healthcare Operations Payment and Healthcare Operations (TPO).(TPO).
Business Associates (BA)Business Associates (BA)
Affiliated Covered Entity (ACE)Affiliated Covered Entity (ACE)
Organized Health Care Organized Health Care Arrangement (OHCA)Arrangement (OHCA)
Do you need to knowDo you need to knowthis information to do this information to do
your job?your job?“need to know basis”“need to know basis”
((Appropriate Access Policies)Appropriate Access Policies)
MINIMUM NECESSARY MINIMUM NECESSARY INFOINFOFacility uses and discloses the minimum Facility uses and discloses the minimum amount of PHI necessary to accomplish amount of PHI necessary to accomplish the intended purpose.the intended purpose.
Applies whether the hospital is sharing, Applies whether the hospital is sharing, examining or analyzing PHI, or whether examining or analyzing PHI, or whether we are responding to a request outside we are responding to a request outside the facility.the facility.
POLICIES
9 CORPORATE POLICIES
23 FACILITY POLICIES
CORPORATE POLICIESCORPORATE POLICIES
PATIENT PRIVACY PATIENT PRIVACY PROGRAM PROGRAM
REQUIREMENTSREQUIREMENTS
HIM.PRI.001HIM.PRI.001LISTS ALL PROGRAM LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONSREQUIREMENTS AND DEFINITIONS
Privacy Official PolicyPrivacy Official Policy
Policy HIM.PRI.002Policy HIM.PRI.002
Barbara Lee Peace , FPOBarbara Lee Peace , FPO
Facility Privacy Official, Facility Privacy Official,
Ext 1682Ext 1682
Gayla White, LSCGayla White, LSC
Local Security CoordinatorLocal Security Coordinator
Ext 1419Ext 1419
PATIENT PRIVACY PATIENT PRIVACY PROTECTIONPROTECTION
HIM.PRI.003HIM.PRI.003Defines individual’s Defines individual’s responsibility in protecting responsibility in protecting PHIPHI““Need to Know is basis” for Need to Know is basis” for accessaccess
Right to AccessRight to AccessHIM.PRI.004HIM.PRI.004
Individuals have the right to inspect and obtain a copy of Individuals have the right to inspect and obtain a copy of their PHI.their PHI.
Facility/PASA will provide a readable hard copy of Facility/PASA will provide a readable hard copy of portions of DRS requested.portions of DRS requested.
On-line access not available at this timeOn-line access not available at this time
Individuals with system access are not permitted to Individuals with system access are not permitted to access their record in any system.access their record in any system.
Facility must act on request for access no later than 30 Facility must act on request for access no later than 30 daysdays
Requests should be forwarded to the HIM Dept (unless Requests should be forwarded to the HIM Dept (unless Referral/Industrial or billing info)Referral/Industrial or billing info)
May charge for copy according to GA CodeMay charge for copy according to GA Code
RIGHT TO AMENDRIGHT TO AMENDHIM.PRI.005
Individuals have the right to amend PHI contained in the DRS for as long as the information is maintained.
For the intent of this policy, amend is defined as the pt’s right to add to information (append) with which he/she disagrees, and does not include deleting or removing or otherwise changing the content of the record.
Requests for Amendment must be forward to the FPO for processing.
RIGHT TO REQUEST PRIVACY RIGHT TO REQUEST PRIVACY RESTRICTIONSRESTRICTIONSHIM.PRI.006HIM.PRI.006
Patients will be provided the right to Patients will be provided the right to request restriction of certain uses and request restriction of certain uses and disclosures of PHI.disclosures of PHI.
Requests for such restrictions must be Requests for such restrictions must be made in writing to the FPO.made in writing to the FPO.
RIGHT TO REQUEST PRIVACY RIGHT TO REQUEST PRIVACY RESTRICTIONSRESTRICTIONSNo other employee or physician may No other employee or physician may process such a request unless specifically process such a request unless specifically authorized by the FPO.authorized by the FPO.
The facility is not required to act The facility is not required to act immediately and should investigate its immediately and should investigate its ability to meet the request prior to agreeing ability to meet the request prior to agreeing to any restriction.to any restriction.
99% of the time the request will not be 99% of the time the request will not be honored.honored.
RIGHT TO REQUEST RIGHT TO REQUEST PRIVACY RESTRICTIONSPRIVACY RESTRICTIONSFacility must permit pt to request privacy Facility must permit pt to request privacy restriction. FPO or designee is only person who restriction. FPO or designee is only person who may agree to any restrictionmay agree to any restrictionShould not be acted on immediately, rather after Should not be acted on immediately, rather after investigation to ensure facility can accommodate investigation to ensure facility can accommodate requestrequestRequest must be in writing from ptRequest must be in writing from ptIf denied, pt must be notified of denial.If denied, pt must be notified of denial.Request will be filed in med rec or billingRequest will be filed in med rec or billingTermination of request (by facility or pt)Termination of request (by facility or pt)
NOTICE OF PRIVACY NOTICE OF PRIVACY PRACTICESPRACTICESHIM.PRI.007 NOPPHIM.PRI.007 NOPP
NOPP must be given to every patient who NOPP must be given to every patient who physically registers for services (referrals, physically registers for services (referrals, lab specimens thru SNF or HH, etc.) Each lab specimens thru SNF or HH, etc.) Each pt must acknowledge receipt pt must acknowledge receipt (initialing).(initialing).
4 page document outlining patient’s rights 4 page document outlining patient’s rights and notice of all of the ways the facility uses and notice of all of the ways the facility uses and shares a pt’s health info.and shares a pt’s health info.
NOPPNOPP
Explains ACE, OHCA, uses, disclosures, Explains ACE, OHCA, uses, disclosures, rights to access, amend, receive confidential rights to access, amend, receive confidential communications, request restrictions, communications, request restrictions, request accounting of disclosures, how to request accounting of disclosures, how to file complaints, name & # of FPO, and file complaints, name & # of FPO, and more.more.
Notice must be posted throughout the Notice must be posted throughout the facility and on facility web site.facility and on facility web site.
NOPPNOPP
Company-affiliated facilities may not Company-affiliated facilities may not intimidate, threaten, coerce, discriminate intimidate, threaten, coerce, discriminate against, or take other retaliatory action against, or take other retaliatory action against individuals for exercising any rights against individuals for exercising any rights under the HIPAA Privacy Standardsunder the HIPAA Privacy Standards
RIGHT TO REQUEST CONFIDENTIAL RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONCOMMUNICATION
HIM.PRI.008HIM.PRI.008
Patients can request alternate means of Patients can request alternate means of communication for mail and telephone callscommunication for mail and telephone calls
Unacceptable means include fax, e-mail Unacceptable means include fax, e-mail and Internet communicationsand Internet communications
Patient must complete and sign “Request Patient must complete and sign “Request for Confidential Communications” formfor Confidential Communications” form
Form must be submitted to FPO who will Form must be submitted to FPO who will give a copy of the form to the patientgive a copy of the form to the patient
CONFIDENTIAL CONFIDENTIAL
COMMUNICATIONCOMMUNICATION (cont’d)(cont’d)
FPO must notify other parties as appropriate FPO must notify other parties as appropriate (PASA)(PASA)
If alternate phone/address is not accurate, 7 If alternate phone/address is not accurate, 7 days must pass and then FPO will notify all days must pass and then FPO will notify all applicable parties to take appropriate actionapplicable parties to take appropriate action
Patient must complete new form for future if Patient must complete new form for future if original alternate info is incorrectoriginal alternate info is incorrect
If revocation desired by pt, “Conf If revocation desired by pt, “Conf Communication Revocation” form must be Communication Revocation” form must be completedcompleted
CONFIDENTIAL CONFIDENTIAL
COMMUNICATIONCOMMUNICATION (cont’d)(cont’d)
Patients can request alternate means of communication for mail and telephone calls
Unacceptable means include fax, e-mail and Internet communications
Patient must complete and sign “Request for Confidential Communications” form
Form must be submitted to FPO who will give a copy of the form to the patient
ACCOUNTING OF DISCLOSURESACCOUNTING OF DISCLOSURES
HIM.PRI.009 AODHIM.PRI.009 AOD
Individuals have the right to an accounting Individuals have the right to an accounting of disclosures made by the facilityof disclosures made by the facility
Includes written and verbal disclosuresIncludes written and verbal disclosures
Accounting must include the date, Accounting must include the date, description of what was disclosed, statement description of what was disclosed, statement of purpose for the disclosure and to whom of purpose for the disclosure and to whom the disclosure was madethe disclosure was made
AOD AOD (cont’d)(cont’d)
HIM.PRI.009HIM.PRI.009
EXCEPTIONS from Accounting: Uses EXCEPTIONS from Accounting: Uses and disclosures for treatment, payment, and disclosures for treatment, payment, healthcare operations (TPO).healthcare operations (TPO).
*** This is not a system audit trail of user access. This is an accounting of entities to which information has been disclosed***
AOD AOD (cont’d)(cont’d)
Facility must document the AOD and retain the documentation for 6 years.
Types of uses and disclosures that must be tracked for purposes of accounting:
Required by law
Public health activities
Victims of abuse, neglect, or domestic violence unless the healthcare provider believes informing the individual may cause serious harm or believes the individual is responsible for the abuse, neglect, or injury.
Health Oversight activities
Judicial and administrative proceedings
Law enforcement purposes
AODAODDecedents – Coroners and medical examiners OR funeral directors
Cadaveric organ, eye, or tissue donation purposes
Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes
In order to avert a serious threat to health or safety
Specialized gov’t functions (Military or vet activities OR Protective services for the President and others)
Worker’s comp necessary to comply with laws relating to worker’s comp prgms (not including disclosures related to pymt)
AODAODMeditech
Correspondence menu
On the Mox menu
Detailed instructions forthcoming
FACILITY POLICIESFACILITY POLICIES
VERIFICATION OF EXTERNAL VERIFICATION OF EXTERNAL REQUESTORS REQUESTORS Policy assumes requestor is authorized and facility just needs to verify.
Identify verification
1.Valid State/Federal Photo ID
2.Minimum of 3 of the following:
SS#, DOB, one of the following (acct #, address, Insur Carrier,card or policy #, MR #, Birth certificate)
1.Positive match signature
VERIFICATION VERIFICATION (CONT’D)(CONT’D)
Unacceptable forms of identification:
•Employment ID card/Student ID card
•Membership ID cards
•Generic billing statements (utility bills)
•Supplemental Security card (SSI)
•Credit cards (photo or non-photo)
VERIFICATION VERIFICATION (CONT’D)(CONT’D)
Third –Party & Company identification methods:
•Letterhead
•Email address
•Fax Coversheet with company logo
•Photo ID
•If in doubt, follow-up via telephone
OPTING OUT OF DIRECTORYOPTING OUT OF DIRECTORYComparable to “no press, no info” as we Comparable to “no press, no info” as we know itknow it
Must be in writing by ptMust be in writing by pt
Pt access will handle if requested butPt access will handle if requested but
Nursing may have to handleNursing may have to handle
MUST inform of patient of effects, MUST inform of patient of effects, e.ge.g., no ., no delivery of flowers, callers/visitors told no delivery of flowers, callers/visitors told no such pt, pt must notify family/friends of such pt, pt must notify family/friends of exact location, no clergy visitsexact location, no clergy visits
OPTING OUT (cont’d)OPTING OUT (cont’d)
Will be handled the same in MeditechWill be handled the same in Meditech
If in Directory, the following info If in Directory, the following info willwill be be released to members of clergy & other persons released to members of clergy & other persons who ask for patient by name:who ask for patient by name:
•Pt namePt name
•LocationLocation
•Condition in general termsCondition in general terms
•Religious affiliationReligious affiliation
OPTING OUT (cont’d)OPTING OUT (cont’d)Opt Out form must be distributed to Opt Out form must be distributed to PAD and other appropriate dept’s to PAD and other appropriate dept’s to ensure pt is listed confidential and must be ensure pt is listed confidential and must be documented in med rec (change to conf in documented in med rec (change to conf in Meditech)Meditech)
If pt asks to opt out during scheduling, If pt asks to opt out during scheduling, OR, Rad, etc. must notify Pt Access & OR, Rad, etc. must notify Pt Access & FPOFPO
Gallup Survey upload fileGallup Survey upload file
Revocation of opt out – must be in Revocation of opt out – must be in writingwriting
COMPLAINT PROCESSCOMPLAINT PROCESSFiled with facility & DHHSFiled with facility & DHHS
To instill a measure of accountabilityTo instill a measure of accountability
FPO must be notifiedFPO must be notified
Complaint must be in writingComplaint must be in writing
Steps taken to identify &/or correct any Steps taken to identify &/or correct any privacy deficienciesprivacy deficiencies
Disposition of investigation by FPO to Disposition of investigation by FPO to complainant and logged in complaint logcomplainant and logged in complaint log
RELEASE TO LAW RELEASE TO LAW ENFORCEMENT, JUDICIALENFORCEMENT, JUDICIAL
State law pre-empts if more State law pre-empts if more strictstrict
Outlines proper acceptance Outlines proper acceptance & response to:& response to:
Court order for judicial or Court order for judicial or administrative proceedings.administrative proceedings.
LAW ENFORCEMENT (cont’d)LAW ENFORCEMENT (cont’d)
•Subpoena or Discovery Request Not Subpoena or Discovery Request Not Accompanied by court order. Pt must be given Accompanied by court order. Pt must be given notice and ample time to object.notice and ample time to object.
•Law Enforcement – Disclosure is permitted Law Enforcement – Disclosure is permitted under specific circumstances.under specific circumstances.
ALL requests for release of information should ALL requests for release of information should be referred to the HIM Dept.be referred to the HIM Dept.
CLERGY ACCESSCLERGY ACCESS
Unless a pt is confidential or has requested to Opt Out of the facility directory, members of the clergy will be provided with the following information:
a.Name of pt
b.Condition in general terms
c.Location/Room Number
CLERGY ACCESSCLERGY ACCESSIf the pt, during nursing assessment, asks for his or her clergy to be notified, the nursing staff should handle notification according to the facility’s current process.
USES AND DISCLOSURES OF USES AND DISCLOSURES OF PROTECTED HEALTH PROTECTED HEALTH INFORMATIONINFORMATION
Required When:Required When:
Outside of TPOOutside of TPO
ResearchResearch
Psychotherapy notes Psychotherapy notes (unless to carry out (unless to carry out TPO)TPO)
New Authorization Form will replace New Authorization Form will replace existing formexisting form
RELEASING UNDER THE PUBLIC RELEASING UNDER THE PUBLIC GOODGOOD
PHI may be released to other covered PHI may be released to other covered health care providers w/out patient health care providers w/out patient authorization for public good purposesauthorization for public good purposes
Public good exception permits Public good exception permits disclosures in certain situations including, disclosures in certain situations including, but not limited to, the following:but not limited to, the following:
PUBLIC GOODPUBLIC GOOD (cont’d)(cont’d)
Required by lawRequired by law
About victims of abuse, neglect, or domestic About victims of abuse, neglect, or domestic violenceviolence
Law enforcement purposesLaw enforcement purposes
For organ procurementFor organ procurement
To avert a serious threat to health or safetyTo avert a serious threat to health or safety
Worker’s comp or other similar programWorker’s comp or other similar program
Other situations (gov’t, disaster relief, etc)Other situations (gov’t, disaster relief, etc)
PRIVACY MONITORING
Security CommitteeSecurity Committee
Random AuditsRandom AuditsAudits of employees with broad Audits of employees with broad accessaccessAudits across campusesAudits across campusesAudits of all employee recordsAudits of all employee records
PRIVACY MONITORINGLevel and Definition of Violation:
Level I Accidental and/or due to lack of proper educationLevel II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violationsLevel III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status
Examples of Violations:
Failing to sign off a computer terminal when not using it
Accessing own record
Accessing a record without having a legitimate reason to do so
Sharing passwords
Improper use of e-mail
Using unlicensed software on HCA computers
Physician self-assigning without obtaining authorization
SANCTIONS FOR PRIVACY SANCTIONS FOR PRIVACY VIOLATIONSVIOLATIONSSecurity CommitteeSecurity Committee
In current hospital policiesIn current hospital policies
Violations must be documentedViolations must be documented
Levels of violationLevels of violation
•Accidental/lack of educationAccidental/lack of education
•Purposeful or unacceptable # of previous Purposeful or unacceptable # of previous violationsviolations
•Purposeful with associated potential patient Purposeful with associated potential patient harmharm
Disclosures to Other Health Care Disclosures to Other Health Care ProvidersProviders
May disclose for healthcare purposesMay disclose for healthcare purposesVerify requestorVerify requestorMedical Staff is member of OHCAMedical Staff is member of OHCA
Designated Record SetDesignated Record Set
Policy HIM
Includes:
Medical records and billing records for CMC used in whole or part to make healthcare decisions about patients.
**Information from another facility
- received before patient discharged
Privacy Fundraising Privacy Fundraising RequirementsRequirements In general, individual patient In general, individual patient
authorization must be obtained to use or authorization must be obtained to use or disclose a patient’s PHI for fundraising disclose a patient’s PHI for fundraising purposes.purposes.
Does not apply to CHSDoes not apply to CHS
Education RequirementsEducation Requirements
All employees must be educated prior to All employees must be educated prior to entering the work forceentering the work forceEducation must be at onset and at least Education must be at onset and at least annuallyannuallyMust be documentedMust be documented
FAX POLICY
CHECK NUMBERSCHECK NUMBERSREPORT WRONG FAXES TO FPOREPORT WRONG FAXES TO FPOALWAYS USE COVER SHSETALWAYS USE COVER SHSETFAXBOXFAXBOX
MARKETING POLICIY
A patient authorization is required A patient authorization is required and must and must
be obtained for any uses or disclosures be obtained for any uses or disclosures
of PHI for purposes of marketing of PHI for purposes of marketing
under the HIPAA Privacy Standards.under the HIPAA Privacy Standards.
DEIDENTIFICATION
Policy addresses how to deidentifyPolicy addresses how to deidentify
data if releasing.data if releasing.
LIMITED DATA SET
Allows for submission of a Allows for submission of a
limited data set in limited data set in
certain situations.certain situations.
RELEASE TO FAMILY ANDFRIENDS
Better known as “Passcode Policy”Better known as “Passcode Policy”
requires passcode at nursing units/and requires passcode at nursing units/and
other care units when releasing infoother care units when releasing info
on patients.on patients.
MINIMUM NECESSARY INFORMATION
Company wants to be sure that everyone isCompany wants to be sure that everyone is
adhering to making sure that employeesadhering to making sure that employees
have only the minimum necessaryhave only the minimum necessary
information to do their jobs.information to do their jobs.
POLICIES POSTED
ATLAS– Policies & Procedures
• CHS
• HIPAA– Facility
– Corporate
– Forms
MOX– Library
– HIPAA
SECURITY
Protecting our patient'sProtecting our patient'sprivacy is part of the privacy is part of the
quality care we provide atquality care we provide atColiseum Medical Centers Coliseum Medical Centers
– It’s the Law –– It’s the Law –
Email and Internet AccessEmail Systems and the Internet:
-Are for business purposes only
-Are monitored by corporate and CHS Information Services
-Any information passing to or through them is the property of the Company
Email Systems and Internet access may NEVER be used for:
--Offensive jokes or language
-Anything that degrades a race, sex, religion, etc.
-“Hate” mail – to harass, intimidate or threaten another person
-Forwarding chain letters
-Emails for want ads, lost and found, notification of events (wedding or other invitations) other than HCA sponsored events
-Access to “prohibited internet sites” containing pornography, “hate” sites, chat sites and gaming sites
The use of HCA’s information systems assets to access such sites is STRICTLY The use of HCA’s information systems assets to access such sites is STRICTLY PROHIBITED!PROHIBITED!
-Any purpose which is illegal, against Company policy, or contrary to the -Any purpose which is illegal, against Company policy, or contrary to the Company’s best interestCompany’s best interest
Email Systems and Internet access violations are:
-Handled by our CHS Security Committee and will become a part of your personnel record in Human Resources
-Grounds for disciplinary action up to, and including, termination of employment and/or legal action
If you receive an email in violation of our policies or know of any inappropriate Email/Internet usage, please notify our Local Security Coordinator (LSC), Gayla White, or our Hospital Director of Information Services (HDIS), Joan Morstad at 765-4127 or by Outlook or MOX.
Remember adherence is neither voluntary nor optional.Remember adherence is neither voluntary nor optional.
Incident ReportingYour Local Security Coordinator, Gayla White, is your first contact for questions or to report any known or potential security issues. The Hospital Director of Information Services, Joan Morstad, supports technical issues including Security and Security issues. The Facility Privacy Officer, BarbaraLee Peace, will receive complaints about patient privacy.
A security breach is any deviation from the HCA – Information Technology and Services Policies, Procedures and Standards.
Violation levels and respective disciplinary actions are outlined in the AA.C.ENFORCE policy located on InSight – the CHS Intranet.
System access will be routinely reviewed through the use of conformance and monitoring audit reports viewed by the Local Security Coordinator and the Facility Security Committee.
Level and Definition of Violation:Level I Accidental and/or due to lack of proper educationLevel II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violationsLevel III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status
Examples of Violations:
Failing to sign off a computer terminal when not using it
Accessing own record
Accessing a record without having a legitimate reason to do so
Sharing passwords
Improper use of e-mail
Using unlicensed software on HCA computers
Physician self-assigning without obtaining authorization
Examples of Discipline:Retraining and discussion of policy / Oral warning or reprimand
Written warning Termination of user privileges or contracts
Termination of employment
REMEMBER
Be aware of the systems you use and report any
violations of policy.
LOG IN SUCCESS OR FAILURELog-in success or failure is a general term for end user Log-in success or failure is a general term for end user
awareness and training including their understanding of awareness and training including their understanding of their responsibility to ensure the protection of the their responsibility to ensure the protection of the
information they work with and their ability to recognize information they work with and their ability to recognize normal and abnormal system functionality.normal and abnormal system functionality.
Information Security in the healthcare industry means Information Security in the healthcare industry means protecting employee and company information, but also protecting employee and company information, but also includes the patient information gathered in behalf of a includes the patient information gathered in behalf of a
patient during treatment.patient during treatment.
WHAT ARE GOOD INFORMATION SECURITY WHAT ARE GOOD INFORMATION SECURITY PRACTICES? PRACTICES?
1. Treat all information as if it were about you or your 1. Treat all information as if it were about you or your family.family.
2. Access only those systems you are officially authorized 2. Access only those systems you are officially authorized to access.to access.
3. Take reasonable measures to shield sensitive and 3. Take reasonable measures to shield sensitive and confidential information from casual view such as confidential information from casual view such as positioning workstations away from public view.positioning workstations away from public view.
4. Minimize the storage of confidential information on a 4. Minimize the storage of confidential information on a local workstation.local workstation.
5. Always exit the system before leaving work.5. Always exit the system before leaving work.
6. Access only the information you need to do your job.6. Access only the information you need to do your job.
Read the Information Security Guide that is available on Read the Information Security Guide that is available on ATLAS under Information Technology ATLAS under Information Technology
Services>Security>Awareness Education>Security Guide. Services>Security>Awareness Education>Security Guide.
Certain kinds of Internet/email use require large amounts Certain kinds of Internet/email use require large amounts of network bandwidth and, when multiplied by too many of network bandwidth and, when multiplied by too many
users, can actually monopolize our system resources. These users, can actually monopolize our system resources. These “bandwidth hogs” can slow or even shut down the “bandwidth hogs” can slow or even shut down the computer systems we need for day-to-day work.computer systems we need for day-to-day work.
WHAT IMPACTS OUR SYSTEMS?WHAT IMPACTS OUR SYSTEMS?
1. Internet images/graphics accessed on your web 1. Internet images/graphics accessed on your web browser.browser.
2. Pictures/graphics sent by email using the Company 2. Pictures/graphics sent by email using the Company email system.email system.
3. Internet news sites, using either streaming audio or 3. Internet news sites, using either streaming audio or streaming video.streaming video.
4. MP3 (music) files downloaded from the Internet.4. MP3 (music) files downloaded from the Internet.
Take a close look at how you use the Company’s network Take a close look at how you use the Company’s network to ensure that your Internet habits don’t contribute to a to ensure that your Internet habits don’t contribute to a
slowdown of our systems.slowdown of our systems.
REMEMBERREMEMBER
Use of the internet plays an important part in keeping ourUse of the internet plays an important part in keeping our
Company’s network performing properly.Company’s network performing properly.
NEED TO KNOWWorkforce members only access systems they are Workforce members only access systems they are
authorized to access. authorized to access.
Never use a password that does not belong to you. Never use a password that does not belong to you.
Never give someone else your password.Never give someone else your password.
Always request access to a system through the Always request access to a system through the proper channels.proper channels.
Workforce members access only the information needed to Workforce members access only the information needed to perform a task or job. perform a task or job.
Never view a patients’ information that is not in Never view a patients’ information that is not in your direct care area.your direct care area.
Never request information from coworkers about a Never request information from coworkers about a family, friend or your own record.family, friend or your own record.
Never access your own record but request information from Never access your own record but request information from Health Information Management.Health Information Management.
Workforce members only share sensitive and confidential Workforce members only share sensitive and confidential information with others having a “need to know” to information with others having a “need to know” to
perform their job.perform their job.
Never give information about patients in your care area to Never give information about patients in your care area to coworkers outside your care area. coworkers outside your care area.
Never discuss patient information in elevators, dining areas, Never discuss patient information in elevators, dining areas, or other public places. or other public places.
Direct all requests for information from coworkers about Direct all requests for information from coworkers about their own or other records to Health Information their own or other records to Health Information
Management.Management.
Keep sensitive and confidential information in a Keep sensitive and confidential information in a locked cabinet or drawer when not in use.locked cabinet or drawer when not in use.
REMEMBERREMEMBER
Only access information that is needed to perform yourOnly access information that is needed to perform your
Duties!!Duties!!
PASSWORD MAINTENANCE
Did you know that guessing or using a known password Did you know that guessing or using a known password makes up about 60% of all successful information security makes up about 60% of all successful information security breaches? This means that creating a secure password is breaches? This means that creating a secure password is
vital to network protection. vital to network protection.
You should never write down or give your User ID and You should never write down or give your User ID and password to anyone else and you should never use anyone password to anyone else and you should never use anyone else’s User ID and password. else’s User ID and password. Using or allowing someone to Using or allowing someone to use a User ID and password that was not assigned to them use a User ID and password that was not assigned to them is like giving a stranger your Bank Card and Pin number!!is like giving a stranger your Bank Card and Pin number!!
Inferior passwords include:Inferior passwords include:
Your user ID or Account NumberYour user ID or Account Number
Your Social Security NumberYour Social Security Number
Birth, death or anniversary datesBirth, death or anniversary dates
Family member namesFamily member names
Your name forward or backwardsYour name forward or backwards
Good quality password are:Good quality password are:
Eight characters or moreEight characters or more
Uppercase (A) and lowercase (a) lettersUppercase (A) and lowercase (a) letters
Combinations of letters and numbersCombinations of letters and numbers
Easy to type and rememberEasy to type and remember
Made up of a pass phraseMade up of a pass phrase
A pass phrase is unique and familiar to you, and easy to A pass phrase is unique and familiar to you, and easy to remember, but not easy to guess. Think of a phrase like remember, but not easy to guess. Think of a phrase like “See you later.” For systems that accept numbers and “See you later.” For systems that accept numbers and
special characters, you can substitute letters for words and special characters, you can substitute letters for words and add a special character to transform the phrase into add a special character to transform the phrase into
something like something like CUL8ter!CUL8ter!. For systems that do not accept . For systems that do not accept numbers and special characters, your password might be numbers and special characters, your password might be
CULatERCULatER..
REMEMBERREMEMBER
Your ID and password document work performed andYour ID and password document work performed and
Information reviewed by YOU!!Information reviewed by YOU!!
POLICIES AND STANDARDSHCA relies heavily on computers to meet its operational, HCA relies heavily on computers to meet its operational, financial, and information requirements. The computer financial, and information requirements. The computer
system, related data files, and the derived information are system, related data files, and the derived information are important assets of the company.important assets of the company.
POLICIESPOLICIES: A mechanism of internal controls for : A mechanism of internal controls for routine and non-routine receipt, manipulation, storage, routine and non-routine receipt, manipulation, storage,
transmission and/or disposal of health information.transmission and/or disposal of health information.
Facility and Corporate policies are located on Facility and Corporate policies are located on InSightInSight – – the CHS Intranet – under the Policies & Procedures the CHS Intranet – under the Policies & Procedures
section.section.
Before being issued a password to CPCS, all employees are Before being issued a password to CPCS, all employees are required to sign the required to sign the AA.C.ENFORCEAA.C.ENFORCE policy describing the policy describing the requirements for discipline when confidentiality breaches of requirements for discipline when confidentiality breaches of
patient or hospital financial information and data are patient or hospital financial information and data are identified, and the identified, and the AA.H.OWNMRAA.H.OWNMR policy identifying the policy identifying the
proper procedure for employees who want to view a copy of proper procedure for employees who want to view a copy of their own medical record.their own medical record.
All system users are responsible for abiding by the policies All system users are responsible for abiding by the policies and procedures established to protect the company’s and procedures established to protect the company’s
information.information.
STANDARDSSTANDARDS: The minimum-security standard : The minimum-security standard requirements for processing information in a secure requirements for processing information in a secure
environment and for helping facilities comply with the environment and for helping facilities comply with the proposed HIPAA (Health Insurance Portability and proposed HIPAA (Health Insurance Portability and
Accountability) Security Rule Accountability) Security Rule
IITT&&SS SSttaannddaarrddss aarree ppuubblliisshheedd oonn AATTLLAASS uunnddeerr IInnffoorrmmaattiioonn TTeecchhnnoollooggyy && SSeerrvviicceess,, iinn tthhee SSeeccuurriittyy sseeccttiioonn.. TThhee llaatteesstt ssttaannddaarrddss tthhaatt hhaavvee bbeeeenn ppuubblliisshheedd aarree::
SSyysstteemm WWaarrnniinngg BBaannnneerr
IIddeennttiiffiiccaattiioonn
AAuutthheennttiiccaattiioonn
EEnnccrryyppttiioonn
WWiirreelleessss NNeettwwoorrkkss
EElleeccttrroonniicc MMaaiill SSyysstteemm
WWoorrkkssttaattiioonn SSeeccuurriittyy
MMoobbiillee CCoommppuuttiinngg
OOppeenn NNeettwwoorrkk SSeeccuurriittyy
SSeeccuurriittyy AAwwaarreenneessss
VViirruuss CCoonnttrrooll
IT&S Standards are published on ATLAS under IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. Information Technology & Services, in the Security section.
The latest standards that have been published are:The latest standards that have been published are:
System Warning BannerSystem Warning Banner
IdentificationIdentification
AuthenticationAuthentication
EncryptionEncryption
Wireless NetworksWireless Networks
Electronic Mail SystemElectronic Mail System
Workstation SecurityWorkstation Security
Mobile ComputingMobile Computing
Open Network SecurityOpen Network Security
Security AwarenessSecurity Awareness
Virus ControlVirus Control
REMEMBER: Each employee is expected to become familiarREMEMBER: Each employee is expected to become familiar
With and abide by our policies and standards.With and abide by our policies and standards.
WORKSTATION SECURITY
Your workstation is any terminal, instrument, device, or Your workstation is any terminal, instrument, device, or location where you perform work.location where you perform work.
Protection of the workstation and its equipment is each Protection of the workstation and its equipment is each employee’s responsibility.employee’s responsibility.
If you leave cash out where the casual observer can see it, If you leave cash out where the casual observer can see it, are you certain it will be there the next time you look? Our are you certain it will be there the next time you look? Our
work-related information is even more valuable!work-related information is even more valuable!
Examples of sensitive information that should Examples of sensitive information that should nevernever be left be left unattended:unattended:
Patient Identifiable Information. Never leave out Patient Identifiable Information. Never leave out any information that is directly related to or traceable to an any information that is directly related to or traceable to an
individual patient.individual patient.
Departmental Reports. Departmental Reports.
Employee Evaluations or Goals. Keep personal Employee Evaluations or Goals. Keep personal information about you between you and your manager.information about you between you and your manager.
Consulting or Audit Reports. Reports that reveal Consulting or Audit Reports. Reports that reveal intricate details about Company operations or systems intricate details about Company operations or systems
should be protected from outsiders.should be protected from outsiders.
To keep your workstation secure be sure to perform a “self To keep your workstation secure be sure to perform a “self audit” and evaluate the information you leave on top of audit” and evaluate the information you leave on top of
your desk.your desk.
Examples of secure workstations:Examples of secure workstations:
PCs are secured (locked) to a heavy object whenever PCs are secured (locked) to a heavy object whenever possible.possible.
When not in use, hard copy information, portable When not in use, hard copy information, portable storage, or hand-held devices are kept in a secured (locked) storage, or hand-held devices are kept in a secured (locked)
place.place.
Information on any screen or paper is shielded from Information on any screen or paper is shielded from casual public view.casual public view.
Terminals and desk are not left active or unlocked and Terminals and desk are not left active or unlocked and unattended. Company approved anti-virus software unattended. Company approved anti-virus software
actively checks files and documents.actively checks files and documents.
Only company approved, licensed, and properly Only company approved, licensed, and properly installed software is used.installed software is used.
Portable storage such as disks and tapes are obtained Portable storage such as disks and tapes are obtained from a reliable source.from a reliable source.
Backups of electronic information are performed Backups of electronic information are performed regularly.regularly.
Surge protectors are used on all equipment containing Surge protectors are used on all equipment containing electronic information. electronic information.
It is the responsibility of all users who have laptops and It is the responsibility of all users who have laptops and other portable devices to exercise due care (i.e., locking other portable devices to exercise due care (i.e., locking
and/or storing safely) to prevent opportunist theft or loss. and/or storing safely) to prevent opportunist theft or loss.
REMEMBERREMEMBER
It is your responsibility to protect the informationIt is your responsibility to protect the information
resources on your individual work station.resources on your individual work station.
For more information…For more information…
http://www.hipaadvisory.com/http://www.hipaadvisory.com/
http://aspe.os.dhhs.gov/admnsimp/http://aspe.os.dhhs.gov/admnsimp/
http://www.hcfa.gov/http://www.hcfa.gov/
http://www.ahima.org/http://www.ahima.org/
http://www.amahttp://www.ama--assn.org/ama/pub/category/4234.htmlassn.org/ama/pub/category/4234.html