HITECH and HIPAA Compliance Higher Availability Privacy Auditing
Attachment F HIPAA/HITECH Training and Test Non-Recurring Observation Guidelines
description
Transcript of Attachment F HIPAA/HITECH Training and Test Non-Recurring Observation Guidelines
Attachment FHIPAA/HITECH Training and Test
Non-Recurring Observation Guidelines
HealthInsurancePortability and AccountabilityAct
HIPAA• Protects health insurance
coverage, improve access to care
• Ensures the privacy of healthcare information
• Restricts the use and disclosure of healthcare information
3
ARRA – American Recovery and Reinvestment Act of 2009:
• HITECH – Health Information Technology for Economic and Clinical Health Act
• New Breach Notification Rules
• Applies to covered entities and business associates
• Intent is to promote health information technology with increased privacy and security
• Increases penalties for violations
• “HIPAA on Steroids”
HITECH
PHI is Protected Health Information:
• Health information is any information whether oral, written or electronic, regarding a patient
• Information can be related to past, present, or future physical or mental health conditions
What is PHI?
● Email Address● Biometric Identifiers● Full Face Photo● Any other Unique
Identifying No., Characteristic or Code
Examples of PHI• Names• All Dates (birth, death, admission, discharge)• Numbers:
Social Security No.Medical Record No.Account No.Encounter No.Phone/Fax NumbersHealth Plan No.Vehicle Identification
No./License Plate No.
6
A breach is an unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the privacy, security, or integrity of the PHI
PHI is unsecured if it is NOT encrypted or rendered unusable, unreadable, or indecipherable to unauthorized individuals
Breach Definition
7
Students/faculty accessing medical records for information on friends or family members out of curiosity/without a business-related purpose
Student/faculty access to the medical record of a celebrity who is treated at any facility
Stolen/lost laptop or PDA containing unsecured PHI Posting of patient’s PHI on social media site by
student/faculty Misdirected e-mail containing PHI to an external
group list Lost flashdrive containing database of patients
participating in a clinical study
Breach Examples
Some HIPAA sensitive student service areas might include:
• Lobby information desks
• Family waiting rooms
• Patient care areas
• Clerical/office support
HIPAA & You
HIPAA rules apply to PHI: • When you use it
• When you disclose it
• When you store it
• When you see it on your computer
• When you share it with another provider
• When it is lying on your desk
• When you are talking about it in any public area
• When you are talking about it over the phone
HIPAA Rules
Incidental Use and Disclosure covers communication needed to provide effective patient care, such as:
• Whiteboards at nurses stations
• Doctors conferring with patients’ families
• Waiting room sign-in sheets
• Patient charts at bedside
Incidental Use and Disclosure
Printed or electronic information left in public view
PHI in regular trash
Records accessed without a “need to know”
Unauthorized individuals hearing sensitive patient information such as diagnosis or treatment
Common ExposuresPatient’s charts left on
countersIncorrect phone
number when sending a fax
Laptop or PDA unattended/lost/stolen
Sending PHI outside of hospital system without encryption
Not signing off, sharing passwords
Access to confidential patient information is allowed if you follow the simple “NEED TO KNOW” rule:• If you need to see patient information to perform your
job, access to this information is OK
• If you do not “need to know” confidential information to perform your job, you are NOT permitted to access it
• If you access confidential patient information, even your own or that of a family member, you can be subject to corrective action, including termination or dismissal from an educational program
Minimum Necessary
Written notice provided to all patients:• Describes patient rights
• Details PHI uses and disclosures
• States how PHI is maintained
Posted in prominent locations
Notice of Privacy Practices
If a patient is asked for by their first and last name, The caller will be transferred to the patient’s location and the patient’s general condition may only be provided by Clinical Staff only if the patient is unable to communicate
Unless the patient has opted out of the directory
Hospital Directory Information
A patient may “opt out” of the patient directory and appear as a “Confidential Patient”
In addition, a notification will appear on the computer screen indicating you are attempting to access a confidential patient and your activities will be monitored and actions taken if inappropriate
These patients will not receive mail, phone calls, flowers, or visitors as we cannot confirm or deny the patient is in the facility
Because social media sites, such as Facebook and Twitter, enable people to easily and instantly share information with friends, family and others around the world, we all must remember to protect patient information
Even the smallest amount of information that could possibly identify a patient may not be shared
Social Networking
Wisconsin – a patient was brought into the ER where 2 RN’s, independently, took cell phone photos of the patient’s body part. One of the RN’s posted it on her Facebook page. Both RN’s were fired. The FBI is investigating this case for HIPAA violations.
Washington – Two certified nurses assistants and an LVN were fired from their positions for taking cell phone photos of nude nursing home residents, most of whom had dementia. These individuals have also put the nursing facility in jeopardy of losing their Medicare/Medicaid funding.
Recent Cases
Cell phone use can represent a security and privacy risk:
• Most cell phones have cameras and there is a privacy concern that pictures will be taken of patients or patient information
• Text messaging is not secure and represents a security risk if the text message includes PHI
Cell Phones & Texting
Protecting the confidential health information of patients is the responsibility of everyone involved
Be sensitive to confidential information Think before you talk about patient-specific
informationKeep information to yourself if you see or overhear
PHI Elevators, hallways, cafeterias, gift shops or other
common areas are not appropriate places to share PHI
Special Tips
HIPAA Security Hospitals must protect the information we collect on patients and their care
Assure proper disposal of PHI by placing in secure containers for future shredding:
Examples: • Surgery Schedules• Daily Patient Census
NOTE: Students are not allowed to print PHI at any of the hospital
ALWAYS log off or lock your computer whenever you leave your workstation
Use a password protected screensaver as an additional safeguard
Lock office doors when you’re going to be away from your workstation for long periods of time
Safeguard Workstations
•You are responsible for any activity done with your Logon User ID
•You are responsible for keeping your password secure
•NEVER share your Logon ID or password
•Protect your computer access
User Identification and Passwords:
Failure to Comply Civil and criminal penalties (hospital
and individual)
Exclusion from participation in Medicare programs
Damaged reputation
Place accreditation at risk
Lawsuit for breach of confidentiality
Civil Penalties Violation Category Each Violation All such violation of
an identical provision in a calendar year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected
$50,000 $1,500,000
For health plans, providers, clearinghouses and business associates that:• Knowingly and improperly disclose information
• Obtain information under false pretenses
Penalties can apply to any ‘person’
Penalties are higher for actions designed to generate monetary gain
Criminal Penalties
Action Fine PrisonObtaining/disclosing PHI
Up to $50,000 Up to 1 year
Obtaining PHI under ‘false pretenses’
Up to $100,000 Up to 5 years
Obtaining/disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
Up to $250,000 Up to 10 years
Criminal Penalties
Former UCLA Health System employee first person to be sentenced to prison 4/2010:• China-licensed cardiothoracic surgeon performing research at
UCLA School of Medicine
• Received notice of intent to terminate
• Accessed supervisor’s, co-workers’ and celebrities’ medical records – no legitimate reason
• No attempt to improperly use or sell any information
• Incarcerated on misdemeanor counts; fined $2,000
Individual Consequences
Individuals committing HIPAA violations can:
• Lose opportunities to participate in educational programs
• Lose professional licenses
• Be subject to criminal conviction
• Be fined
• Be subject to civil suit
HIPAA violations can ruin careers
Individual Consequences
HIPAA and IS Intranet sites Policies and Procedures Hotline: St. David’s Corporate Ethics Hot Line:
1-800-455-1996 St. David’s HealthCare Margie Novak, St. David’s Round Rock Medical Center (942-4212)
and St. David’s Medical Center / Georgetown Campus (341-6441) [email protected]• Chelsea Martel, St. David’s South Austin Medical Center (816-7138 ) [email protected] • Cynthia Colovas, St. Davids Medical Center (544-4288) and St. David’s North Austin Medical Center (901-1607) [email protected]
Resources
Complete the following test and return test to the facility. Please choose the best answer. What would you do? Name: ____________________1. You are reading mail to a patient with vision problems. The patient’s doctor was just in the
room talking with the patient about a new diagnosis of cancer. The patient is crying and is very upset. A visitor walks in and asked you what is going on. You know what just happened…….under HIPAA, would you tell the visitor?
A. The patient just has been diagnosed with cancer and is upsetB. Unable to discuss patient information with the visitorC. Don’t know
2. The doctor was making rounds and was paged. The doctor left the patient’s medical record on the patient’s bedside table. The patient asks you to hand him his record. What would you do?
A. Hand the patient his record.B. Leave the room.C. Explain that you would get the nurse and take the record.D. Pretend you didn’t hear the question.
Non-Recurring ObservationHIPAA/HITECH Test
3. A nurse asks you to dispose of some old laboratory reports that fall under the category of PHI. Where is the correct place, under HIPAA Privacy, to dispose of them?
A. Red trash binB. Regular trashC. Locked shred bin
4. Your best friend’s grandmother is in the hospital on the unit where you are observing. You overhear two nurses discussing the grandmother’s condition. Should you tell your friend what you overheard when you are in the cafeteria having lunch?
A. Just tell her a little bit – not the bad things.B. No – it is against HIPAA PrivacyC. Yes – it’s OKD. Don’t know
5. Name three consequences if HIPAA Privacy has been breached by an individual:
A. ________________________________________B. ________________________________________C. ________________________________________
HIPAA/HITECH Test (continued)
Name: __________________________