Privacy Presentation 2016

2016 Windstone Behavioral Health

Compassion, Courtesy, Compassion, Courtesy, RespectRespect

Windstone Behavioral Health

Privacy Training:Privileges, CMIA, HIPAA


What You’ll Do in This Session• Learn about areas covered by Code of Conduct

• Overview of healthcare privacy

• Learn about physician/patient confidentiality rules

• Learn about Federal law—HIPAA (Health Insurance Portability and Accountability Act)

• Learn about California state law-CMIA (Confidentiality of Medical Information Act)

• Take a short quiz on what you’ve learned about HIPAA


Areas covered by Code of Conduct


Areas Covered by Code of Conduct• Gift Giving and Receiving

o Windstone employees are prohibited from accepting or asking for bribes, kickbacks, gratuity of other forms of payment.

o Employees or other business affiliates may not offer anything to influence business or to gain special treatment as an individual or organization.

• Harassment and Discriminationo Windstone is committed to providing a work environment free

of discrimination and harassment.o The company will not tolerate any form of harassment at any

level of organization.


• Work Place Bullyingo Windstone will not in any instance tolerate bullying behavior. o Bullying is defined as repeated inappropriate behavior, either

direct or indirect, whether verbal, physical or otherwise, conducted by one or more persons against another or others, at the place of work and/or in the course of employment

• Environmental Standardso Health care facilities produce wastes of various types. We are

committed to safe and responsible disposal of waste products and the compliance with all applicable environmental laws and regulations.

Areas Covered by Code of Conduct


• Health and Safetyo We maintain an Injury and Illness Prevention Program (IIPP)

to assist in providing a safe and healthy work environment.o Each employee is expected to obey safety rules and to

exercise caution in all work-related activities.

• Personal Use of Company Resourceso Company resources must be maintained and utilized

according to the rules and regulations.o We reserve the right to inspect all property to ensure

compliance.o Employees are prohibited from using company facilities or

equipment for personal use without prior authorization.



• Relationships with contractors, vendors, etc.o We strive to employ the highest ethical standards in all

business practices and maintain integrity and excellent rapport with all business relations.

o Selection criteria will be objectively based upon quality, service, price, technical excellence and the overall ability to meet our business needs and will not be determined by personal relationships and friendships.

• Substance Abuseo We are committed to providing a drug and alcohol-free work

environment to protect the interests of all individuals involved.o The use of alcohol, illegal drugs, or controlled substances,

whether on or off the job, can adversely affect an employee’s work performance, efficiency, safety and health.



• Fair Dealingo We are dedicated to providing quality healthcare services to

our community by maintaining the utmost ethical, legal and business standards.

o Employees are expected to conduct business honestly and fairly without misrepresentation of material facts

• Workplace Violenceo It is our intent to provide a safe workplace for employees and

to provide a comfortable and secure atmosphere for our customers and others with whom we do business.

o We have zero tolerance for violent acts or threats of violence.



• Confidentiality and Privacyo We follow State and Federal Laws regarding confidential

information, proprietary, trade secrets, internal information as valuable assets.

o We adhere to the Health Insurance Portability and Accountability Act.



• Failure to comply with this Code or Compliance plan may result in disciplinary action or termination.

• Disciplinary decisions can vary depending on the severity and the frequency of the misconduct.o You may be subject to disciplinary action if you are aware of

an problematic situation and do not report it.

Disciplinary Action


• In an effort to prevent misconduct, the company requires all employees and practitioners to:

o Know and comply with our policy and procedures

o Participate in annual Code of Conduct and all required compliance trainings

o Report incidents experienced directly or witnessed

o Cooperation with investigations

o ***

Preventing Misconduct


Physician/Patient Confidentiality• Long-time legal rule called a privilege”– a special

entitlement or immunityo Communication between physician/patient is CONFIDENTIALo Modern rule—also applies to psychotherapists-- which is

defined to include MDs, NPs, psychologists, licensed social workers, and LMFTs

o Applies to agents (people who work for the clinicians)

• All employees must be aware of legally-required privacy considerations in all communications, oral, written and verbal, regarding a member.


The Health Insurance Portability and Accountability Act (HIPAA)

• Federal legislation that was originally enacted in 1996 to make it easier for people to move from one health insurance plan to another

• Balances concerns over the need to access health information with the patient’s desire for privacy

• Prevents misuse and abuse of confidential medical information


Who is Affected by HIPAA• Employees who handle, use, or know individuals’

Protected Health Information• Health Care Providers (health departments, hospitals,

doctors’ offices, any agency that transmits PHI electronically

• Health plans that provide or pay the cost of medical care (e.g. Medicaid, Medicare, BC/BS/HMOs)

• Trading Partners – Electronically exchange Protect Health Information

• Business Associates – Performs services “on your behalf”• HIPAA also applies to you as a consumer of healthcare!


California Law--CMIA• Confidentiality of Medical Information Act

• California was one of the first states to enact laws to protect privacy of all medical information and to give patients rights to access and protect their medical record.

• Provides that all medical information is private and that patients have rights such as obtaining copies of medical record.


California Law--CMIA• Can disclose information for certain purposes:

o To clinicians for purposes of diagnosis and treatmento To billing companieso To quality committees/peer reviewo To insurance plans


• Special rules for psychotherapyo Usually requires authorization by patient that

1) Sets forth the specific information to be released, 2) The length of time that the information will be kept before

being destroyed, and 3) A statement that information will not be used for any other

purpose

o Can always be used for diagnosis and treatment

California Law--CMIA


• Speak with a lowered voice so others cannot overhear—NEVER use a speaker phone.

• Be very careful when leaving messages that can be replayed or overheard by others.

• Get permission before mailing documents to members.

• Document permission in members medical record

What does this mean for you?


• PHI is all individually identifiable health information o including demographic information, physical or mental health

or other information that identifies the individual

• PHI is information on treatment and care that is transmitted or maintained in any form or medium

o electronic, paper, oral, etc. o Examples of where PHI can be found: Medical records and billing records Insurance/Benefit enrollment and payment Claims adjudication Case or medical management

What is covered?Protected Health Information (45CFR 160.103)


o Nameso All geographic information

including street address, city, county, zip code

o All elements of dates (except year)

o Telephone, fax numberso Email addresseso Social Security numbers o Medical Record numberso Health plan beneficiary numbers

o Account numberso Certificate/License numberso Vehicle ID’s, plates, serial

numberso URLs, IPo Biometric ID’s: finger and voice

printso Full face photographso Any other unique identifying

number or characteristic

Examples of PHI


• Employment records

• Family Educational Rights and Privacy Act (FERPA)Records

Preemption of state law:Privacy Rule overrides any other state law unless that state law

provides more protection for the consumer.

What is NOT covered by PHI(45CFR 160.103)


• Close doors• Conduct discussions so that others may not overhear them• Do not leave medical records where others can see them or

access them• Keep medical test results private• Do not leave copies of PHI at copy machines, printers, or fax

machines• Do not leave PHI exposed in mail boxes or conference rooms• Do not share computer passwords or leave them visible• Do not leave computer files open when leaving unlocked or

shared work area• Dispose of paper containing PHI properly

PHI Protection


• Useo Internalo With respect to “individually identifiable health information”:

the sharing, employing, applying, utilizing, examining, or analyzing of such information within the organization that maintains such information (45CFR 164.50)

• Disclosureo Externalo Release, transfer, allowing access to, or divulging information

outside the organization (45CFR 164.501)

What Actions are Covered?


• Covered Entities can use and disclose PHI without patient authorization for TPO purposes:o Treatment: providing, coordinating, and managing health

care, including consultation and referralso Payment: paying or being paid for health care serviceso Operations: administrative, legal, quality, training,

planning, contracting, and other necessary business functions

Use and Disclose for TPO


• Health care employees should “use and disclose” only the minimum necessary PHI required to do their jobs.

Minimum Necessary Standard


• Remember, confidentiality requirements apply to family members

• DO NOT disclose to member’s spouse or children without a POA or, in limited situations, the express documented permission of the member

• Signed authorizations for release of information are considered invalid, if there is no expiration date or an event that triggers expiration. o WBH release forms indicate expiration as either in one

year from the date signed or as noted.

Use of Power of Attorney (POA)


• Here at WBH, wife of member called asking to speak to practitioner re issue with husband’s medication. We immediately called practitioner to give him wife’s cell phone number. Practitioner refused to speak with wife--stated husband had expressly told practitioner that he didn’t want wife involved in his treatment.

• Small town hospital, woman’ pregnancy test was positive. Lab tech sees woman’s sister that night at local restaurant and congratulates her. Woman wasn’t married and wasn’t going to disclose to family. Sues and wins judgment against lab tech and hospital.

• **

Use of Power of Attorney (POA)


• Some uses/disclosures are “incidental / accidental”o Made in the course of routine operations

(talking about a member to the clinical team and someone else overhears)

o Limited in nature (it occurred as the other person waited to talk to clinical team)

o Could not be reasonably preventedo Allowed IF:

The “minimum necessary standard” is followed Reasonable safeguards are in place

Incidental/Accidental Use/Disclosure


• Report an “INCIDENTAL/ACCIDENTAL USE AND DISCLOSURE” To Your Supervisor or the Compliance Officer IMMEDIATELY

• DO NOT DESTROY Any documents, e-mail messages, voicemail messages, or ANYTHING else relating to the disclosure

• Destruction of records can result in additional discipline

• A violation of PHI is considered a breach as soon as it occurs

Incidental/Accidental Use/Disclosure


• ACCESS their PHI including inspecting and obtaining a copy of PHI

• AMEND incorrect records—a member can request an amendment

• An ACCOUNTING of disclosures—a member can request an accounting

• AUTHORIZE, or refuse to authorize, the use or sharing of PHI

• Designate someone to ACT on the patient’s behalf regarding PHI

• ALTERNATIVE means—member can request receipt of PHI by alternative means and at alternative locations, where routine communications could endanger the individual

• File a complaint about a possible breach of privacy

HIPAA Gives Members the Right to:


Safeguarding Member Privacy: Administrative, Physical and Electronic

Procedures

• Three types of safeguards:1) Administrative2) Physical3) Electronic


• Confidentiality agreement

• Confidentiality/HIPAA policies in policy and procedure manual

Administrative Safeguards


• Use key card—don’t let strangers into building.

• Pick up printouts and copies promptly from printers, fax machines, and copiers.

• Every day at close of business, clean off your desk.

• Use fax software to receive secure faxes directly into your computer.

Physical Safeguards


• Use locked trash bins in hallway

• Insert documents completely into the trash bin…do NOT leave papers containing PHI outside the bin

Physical Safeguards


• Protect the confidentiality of transmitted electronic confidential information, including but not limited to electronic Protected Health Information (ePHI), by using a secure fax or the Secure File Portal.

Electronic Safeguards


• E-mail of PHI ONLY within:o Windstone, HCP, CalOptima, HealthNet, MHN, ProspectMedical,

and monarchhealth.com. • For those companies with which we do “not” have a

partnership, type “whss” within the email (subject or body) which will force outbound encryptiono Do not place any PHI in the subject heading

an internal patient identifier (member id number) or abbreviation may be used instead.

For any other instances, PHI should either be faxed or placed on our Secure File Portal.

Encrypted email policies and procedures can be found on the Wiki

When E-mailing PHI


• The Secure File Portal should be used whenever transmitting PHI outside of Windstone as alternative to faxing; remember, it is always best to err on the side of caution if you are unsure

• For more information about the portal please contact: John Wright @ ext. 283

Secure File Portal


• Do not delete this from any outgoing emails:

This facsimile transmission, including any attachments, contains information from Windstone Behavioral Health, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this facsimile transmission in error, please notify the sender immediately and destroy all copies of the communication, including attachments.

Fax Confidentiality Warning


• When in doubt, don’t provide information• Access information on a need-to-know basis, only to do your job. • Verify fax numbers before sending• Do NOT send e-mails containing PHI outside of WBH except those

is in partner with WBH (See Wiki policies) – or use the “whss” encryption procedure.

• Verify the identity of a caller before releasing confidential information• Discuss patient information as privately as possible• Never share your password with anyone (except Supervisor)• Log off before you walk away from your computer• Maintain security of all patient information in all medium (paper,

electronic, oral, etc)• Dispose of confidential information according to proper procedures

(locked shred bins)**Refer complaints and concerns to WBH’s Compliance Officer or

Security Officer

Top 10 Privacy & Security Practices


• Cignet Health Center, a group of clinics in Maryland, was fined $ 4.3 million for failing to release medical records to patients requesting them.

• Rite Aid--$ 1million fine for disposing of prescriptions and pill bottles in regular trash containers.

• UCLA--$ 865,500 fine due to employees improperly accessing celebrity patients’ medical records.

• In Alabama, a leader of a counterfeit prescription fraud scheme was sentenced to six years in prison for HIPAA violations and identity theft.

HIPAA Violations in the News


• HIPAA civil penalties include:

o $100 / person / violation

o $25,000 / year for multiple violations

Penalties for HIPAA Violations


• HIPAA criminal penalties include:o $50K and/or 1 year imprisonment: for knowingly or wrongfully

disclosing or receiving PHI

o $100K and/or 5 yrs imprisonment: commit offense under false pretenses

o $250K and/or 10 years imprisonment: for intent to sell PHI or client lists for personal gain or malicious harm

You can be personally liable! These penalties apply to oral, paper and electronic Protected

Health Information (PHI)

Penalties for HIPAA Violations


• Person within a Covered Entity who is responsible for monitoring patient privacy and enforcing the HIPAA Privacy Rule and maintaining the physical perimeter of the Covered Entity’s place of business:

o Lisa Casey o 714.384.3870 x 212o [email protected]

Corporate Compliance Officer & Quality Manager


• Person within a Covered Entity who is responsible for monitoring the storage and transmission of electronic PHI:

o John Wrighto 714.642.1813 (cell), or o 714.384.3870 ext. 283o [email protected]

Security Officer


• You are always free to speak with the Security Officer or the Compliance/Privacy Officer—your complaint will be kept confidential

• You may contact the Office of Civil Rights of the Department of Health and Human Services or the Office of the Inspector General

• HIPAA prohibits retaliation of any kind for filing a complaint

HIPAA Complaints


1. Does the physician/patient privilege provide for the confidentiality of communications with psychotherapists?

Yes________ No________2. What does the acronym CMIA stand for?

________________________________________3. Is this a state or federal law? _______________4. What does the acronym HIPAA stand for?

_____Health Insurance Privacy and Administration Act_____Health Insurance Portability and Accountability Act _____Healthcare Industry Privacy and Accountability Act

5. Is this a state or federal law? _______________6. What does HIPAA do?

____Prevent health care fraud and abuse____Provide for electronic and physical security of a patient’s health

information____Protects the privacy and security of a patient’s health information____All of the above

HIPAA Quiz


7. What does PHI stand for?________________________________

8. What information constitutes PHI? (check all that apply)____Concerns the health status of an individual____Identifies the individual by name, telephone, etc.____Contains the member’s high school

9. When can you use or disclose PHI?___For obtaining payment for services, if it is part of your job___For the treatment of the patient, if it is part of your job___When the patient has authorized, in writing, its release___All of the above

10. A violation of PHI is considered a breach when: ____The incident becomes known____The affected individual finds his/her identify stolen____The Covered Entity or Business Associate concludes the analysis of whether the facts constitute a breach____It occurs

HIPAA Quiz


11. Which of the following apply to emailing PHI outside of Windstone? (Check all that apply)

___ An email to Monarch is automatically secure___ Using the patient name in the subject heading is permissible___ Typing whss in the subject or body of an email will force encryption___ Specific policies and procedures for encryption can be found on the Wiki___ All of the above

12. A staff member may reply to an email communication from a client containing PHI as long as it is secured.

True_____ False_____

13. Signed authorizations for release of information are considered invalid, if there is no expiration date or an event that triggers expiration.

True_____ False_____

14. What does “minimum necessary” mean?____________________________________

HIPAA Quiz


15. Which of the following is never acceptable to leave in a message on an answering machine?____ The caller’s name____ The minimum necessary information to request that the client

return the phone call if necessary____ Test Results____ All of the above

16. What are considered physical safeguards? (check all that apply)____ Confidentiality policy____ Every day at close of business, clean off your desk____ Lock file cabinets and drawers at close of business____ Remove papers from copiers/fax machines

17. What are considered electronic security safeguards? (check all that apply) ____ Never share your password with another person ____ Never log in on another person’s password ____ Never write your password down ____ Lock your desk or file cabinets each day ____ Never share or open attached files from unknown sources

18. Can you complain about HIPAA violations without retaliation?Yes____ No____

HIPAA Quiz

Privacy Presentation 2016

Healthcare

Transcript of Privacy Presentation 2016