Basic HIPAA Training and Requirements - AFMC · 10/9/2019 · Certificate/license number Any...
Transcript of Basic HIPAA Training and Requirements - AFMC · 10/9/2019 · Certificate/license number Any...
Copyright © 2019, AFMC, Inc. 1
HIPAA
Security
EDI Transactions
& Code Sets
Privacy HITECH OMNIBUS
Basic HIPAA Training and Requirements
Mollie McCammon, RHIA, CHP
October 9, 2019
Today’s Presenter
Mollie McCammon, RHIA, CHP
AFMC – HIPAA Privacy and Security Policy Analyst
Copyright © 2019, AFMC, Inc. 2
When patients are at your practice, you want them to feel
safe, protected and respected.
Keeping their patient information private will help you do that.
3
Protect Confidential Information
Copyright © 2019, AFMC, Inc.
■ Confidentiality has always been important in health care
■ But now there are federal laws that require us to provide specific training – these are called HIPAA
4
Why am I Getting Training on Patient Privacy?
Copyright © 2019, AFMC, Inc.
5
Health
Insurance
Portability and
Accountability
Act of 1996HIPAA was passed by Congress and signed
into law by President Clinton
New Patient Rights Called HIPAA
Copyright © 2019, AFMC, Inc.
6
HITECH - 2010 Omnibus – 2013
• Applies HIPAA rules to business associates –
subcontractors
• Enforcement – tiers and penalty structures for
violations
• Breach risk assessment factors and notification to
patients
• More specifics on use of PHI – marketing, selling,
fundraising, deceased, immunization records,
accounting of disclosures
• Updates to Notice of Privacy Practices content
• Increased patient rights – electronic copy, copy to
third party, out-of-pocket restriction
HIPAA Privacy - 2003 HIPAA Security - 2005
• Improve access to health insurance
• Privacy – protect the privacy of health care information
• Security – promote standardization of electronic health care-related records to improve and safeguard their use
• Electronic transactions – simplify claims processing
HIPAA/HITECH/Omnibus
Copyright © 2019, AFMC, Inc.
7
Who Has to Follow HIPAA Rules?
ALL HEALTHCARE PROVIDERS
… as well as the employees, physicians, volunteers, students, vendors and others who work at and with these facilities!
■Hospitals
■Physician offices
■Nursing homes
■Pharmacies
■Rehab facilities
■Billing services
■Mental and substance facilities
■Ambulance services
■Home health agencies
■Health departments
■Health insurance providers
Copyright © 2019, AFMC, Inc.
■ Anything that can be used to identify the patient
■ Anything about the patient’s past, present or future medical conditions and treatment
■ Includes billing and payment records for the treatment of health care services
■ Even the fact that the patient is a patient is private
PHI = protected health information
8
What Patient Information is Protected Information?
Copyright © 2019, AFMC, Inc.
■Name
■Address (street, city, county, zip codes more than 3 digits)
■Dates related to patient-except year
■Ages greater than 89
■Telephone number
■Fax number
■Email addresses
■Social Security number
■Medical record number
■Health plan beneficiary number
■Account number
■Certificate/license number
■Any vehicle (VIN), license plate, serial number
■Device identifiers and serial numbers
■Web URL
■Internet protocol (IP) address
■Biometric – finger or voice prints
■Photographic images
■Any other unique identifying number, characteristic or code
9
164.514(a)(2)(i)(A-R)
Patient Identifiers (Applies to Patients, Families, Household Members, Employers)
Copyright © 2019, AFMC, Inc.
■ There are several ways patient information can be shared:
• Spoken/oral
• Written/paper
• Electronic/computer
• Visual/eyes
■ All of these are protected under HIPAA
10
How is Protected Health Information Shared?
Copyright © 2019, AFMC, Inc.
■ Federal penalties apply to both individuals and/or facilities for failure to comply with HIPAA requirements
■ Two types of penalties
• CRIMINAL penalties – up to 10 years in prison
• CIVIL penalties – see table on next slide
11
Why Comply With HIPAA? There are Federal Penalties
Copyright © 2019, AFMC, Inc.
12
**The annual limit
is per year for
every year the
violation persisted.
Updated April 2019
Why Comply With HIPAA? Federal Penalties
Civil penalties
Copyright © 2019, AFMC, Inc.
■ Besides federal penalties, your employer has a sanction policy which includes protecting patient privacy
■ If an employee violates patient confidentiality and privacy, the end result could be termination
13
Why Comply With HIPAA? Employer Penalties
Copyright © 2019, AFMC, Inc.
14
HIPAA Privacy
Copyright © 2019, AFMC, Inc.
Copyright © 2019, AFMC, Inc.
Notice of Privacy Practices
Minimum Necessary
De-identification and Limited Data Set
Use and Disclosures
Right to Access
Request to Amend
Request to Restrict and Alternate
Communications
Request for Accounting of Disclosures
Faxing PHI
Policies covering multiple
standards:
HIPAA Implementation
and Oversight
HIPAA Training Policy
Sanction Policy
Breach Policy
Workforce Clearance
Business Associate Policy
HIPAA Privacy Policies
15
The privacy regulations require each health care organization to appoint a privacy officer. Job duties include:
■ Policies and procedures – develop, implement and update processes
■ Notice of Privacy Practices – establish, update and post the Notice of Privacy Practices
■ Patient complaints – contact person for patients who have privacy complaints and employees who have privacy concerns
■ HIPAA training – work in conjunction with the security officer and the HIPAA committee to provide HIPAA training to employees, students, volunteers
■ Breach – prepare and send breach notifications
■ Changes to HIPAA regulations – keep up with changes and implement
Who is the privacy officer at your practice?
16
HIPAA Privacy Officer
Copyright © 2019, AFMC, Inc.
17
While we are taking care of our patients, HIPAA says we are allowed to use patient information for:
Treatment
Payment
Health care operations
(Often referred to as TPO)
If releasing patient information falls under one of these three categories, you do
not have to have a signed authorization from the patient to share the information.
164.506
When is it Appropriate to Use Patient Information
Copyright © 2019, AFMC, Inc.
■ Communication between doctor and nurses, between practices, between the practice and other providers, between referring providers or care managers
■ Coordination of follow up
• Continued care coordination
• Making an appointment with a specialist
• Working with nursing home placement
• Referral to hospice care
• Arranging for medical equipment
• Arranging home care
18
HIPAA Definition of Treatment
Copyright © 2019, AFMC, Inc.
The communication between the practice and the person or company who will be paying the practice. Communication will include functions such as:
■ Determining pre-eligibility and coverage
■ Sending bills and receiving payment on claims
■ Utilization review (ex: authorizing days or medical necessity)
■ Collection agency activities
■ Review of claims if disputed
19
HIPAA Definition of Payment
Copyright © 2019, AFMC, Inc.
■ Quality measures
■ Improvement activities
■ Professional review
■ Health insurance contracting
■ Certain outside reviews (e.g. state health department or financial auditors)
■ Administrative business planning, development and management
20
HIPAA Definition of Health Care Operations
Copyright © 2019, AFMC, Inc.
■ Public health – disease control, vital records
■ Product recalls
■ Reporting adverse reactions to medications
■ Reporting suspected abuse, neglect or domestic violence
■ Preventing or reducing a serious threat to patient health or safety
■ Government functions
■ State specific laws
21
164.512(a-l)
Other Requests for Patient Info: Required Reporting
Refer all these types of requests to the Privacy Officer
Copyright © 2019, AFMC, Inc.
Patient authorization required
■ Request to send to a third party – life insurance
■ Request for records from attorney
■ Psychotherapy notes
■ Marketing
■ Research
Copyright © 2019, AFMC, Inc.
Refer all these types of requests to the Privacy Officer
164.508(a)(1-4)
Other Requests for Patient Info: Patient Authorization
22
23
Verify identity
If you do not know the person who is asking for patient information, take steps to verify their identity
• Ask to see their driver’s license or identification badge
• Ask for the patient’s birth date, address, phone #
• Compare signatures
Verify authority
Once you know who they are, be sure they have the right to see patient information (question why they need the information or the purpose of the request)
Before talking to family members, ask the patient for permission
Precautions to Protect Patient Information
Copyright © 2019, AFMC, Inc.
■ Only share the minimum patient information necessary for the request.
■ Cover patient information from public eyes.
■ Use the hold button on telephones or cover the mouthpiece of the phone when the caller is waiting.
■ Leave minimal information on patient voice mails.
■ Do not leave patient information unattended.
■ Visitors in the room – don’t assume you can discuss in front of them. Always ask the patient if it is OK to discuss or if the patient would like the visitors to step out.
24
If you are unsure about releasing information under TPO, required reporting
or patient authorization, check with the privacy officer
Other Precautions with Patient Information
Copyright © 2019, AFMC, Inc.
25
Before you look at patient information on paper or on the computer or
before you ask someone about patient information,
ALWAYS ASK YOURSELF:
“Do I need to know this to do my job?”
If the answer is yes:
look at only the
information you need and
don’t share it unless it is
for the patient’s continued
care
If the answer is no:
STOP and don’t ask, don’t
listen and don’t look!
Should I Have Access to Patient Information?
Copyright © 2019, AFMC, Inc.
■ Before putting papers in the trash can remember:
• Shred papers are to be shredded if there is a patient identifier or any confidential information on that paper.
• Destroy media in which patient information is stored. This includes CDs, hard drives, thumb drives and fax cartridges.
26
Where is the shred bin at your practice?
Even Our Trash is Private!
Copyright © 2019, AFMC, Inc.
■ Patient information may be sent by fax only when urgently needed
for timely patient care or required for continuity of care
■ We should limit the amount of information we send by fax to what is absolutely necessary
■ Refer to your practice Fax Policy
27
Faxing Patient Information
Copyright © 2019, AFMC, Inc.
■ Always use a cover page
■ Use preprogrammed fax numbers on fax machines when possible
■ Always double check the fax number before and after you send the fax
■ A confirmation page should print after the documents are sent
■ Keep the cover page and confirmation page with the medical record for documentation
28
Steps to Protecting PHI While Faxing
Copyright © 2019, AFMC, Inc.
When releasing patient information, always document the following:
■ Who requested the information
■ What information was sent
■ Purpose or why it was needed
■ Who it was sent to
■ The date it was sent
■ The employee who sent it
29
Misdirected faxes must be reported to the privacy officer
Document, Document, Document
Copyright © 2019, AFMC, Inc.
Patients have the right to request:
■ Access – inspect and obtain a copy of their medical record
■ Restriction of patient information, including out-of-pocket disclosures
■ Amendment to their medical record
■ Accounting of disclosures
■ Confidential communications
■ Receive a paper copy of the Notice of Privacy Practices
■ File a complaint
Patients know about these rights from the Notice of Privacy Practices
Talk to your privacy officer about
how to handle requests from patients and
the forms to use
30
Patient Rights Under HIPAA
Copyright © 2019, AFMC, Inc.
■ Maintain the privacy of medical information
■ Provide patients with a copy of the Notice of Privacy Practices and abide by the terms
• Posted in common areas such as the waiting room
• Posted on practice website
• Given to all new patients
• Available to patients when they ask for it
■ Notify the patient if you are unable to agree to a restriction that they have requested
■ Accommodate reasonable requests from the patient regarding their medical information
31
Our Responsibilities to PATIENTS
Copyright © 2019, AFMC, Inc.
■ As a health care employee, social media can get you in HIPAA trouble fast!
■ Do not take pictures of patients or PHI at work.
■ Patient relationships should remain professional.
■ Your town is much smaller than you think. As a health care provider, your words have power, and people think you learn everything at work.
Copyright © 2019, AFMC, Inc.
Social Media
32
■ Don’t snoop, pry or gossip.
■ Only access patient information needed for your job duties.
■ Close curtains and doors. Knock before entering a patient room.
■ Double check paperwork before handing to the patient – correct names?
■ Keep your voice down. Do not discuss patient information in public areas (hallways, break rooms). Who is listening around you?
■ Do not allow family of patients or employees, visitors, or patients in your work area where patient information is kept.
■ Be sensitive. How would you want your patient information handled?
33
Our Responsibilities as Employees, Providers, Volunteers and Students
Copyright © 2019, AFMC, Inc.
If I see a friend who is a patient or their family in the practice, parking lot or in public what should I do?
■ You can
• Say “hi” and make small talk with them.
• Be concerned for them. If they share with you why they are being treated or their medical condition, offer your empathy or concern.
• Ask if there is anything you can do. If they take you up on this and the job falls outside of your duties, be sure and pass that along to the appropriate person.
34
What Can I Say?
Copyright © 2019, AFMC, Inc.
35
What Can I Say?
If I see a friend who is a patient or their family in the practice, parking lot or in public what should I do?
■ You cannot
• Talk amongst co-workers about seeing them or your conversation with them.
• Tell friends and family that you saw them or your conversations with them.
• Call another employee, look at the patient chart or look them up in the EHR to see why they are here.
Copyright © 2019, AFMC, Inc.
■ I see something that looks like a privacy issue or problem?Talk to the HIPAA privacy officer.
■ A patient or family member complains to me about a privacy matter?Take steps to resolve the issue and pass it along to the privacy officer.
If you have any question at all about a privacy matter,
please let the privacy officer know!
36
What Do I Do If …?
Copyright © 2019, AFMC, Inc.
HIPAA Security
Copyright © 2019, AFMC, Inc. 37
Copyright © 2019 AFMC, Inc. All Rights Reserved. 38
Physical Safeguards
• Facility access controls
• Workstation use and security
• Device controls
o Tracking
o Data backup
o Disposal
Technical Safeguards
• Software access controls
• Encryption
• Audit controls
• Integrity of PHI
• Transmission of PHI security
Administrative Safeguards
• Risk analysis
• Assign security officer
• Workforce security precautions
• Limit electronic access
• Training
• Password management
• Incident procedures
• Contingency plans
• Business associate contracts
HIPAA Security Requirements
Identification and Authentication
Network Connectivity
Malicious Code
Encryption
Building Security
Telecommuting/Remote access
Removable Media
Mobile Devices and Phones
Retention and Destruction of Practice Information
Disposal and Reuse of Electronic Media
Change Management
Audit Controls
Information System Activity Review
Data Integrity
Contingency Plan
Security Management Process
Emergency Operation Procedures
HIPAA Security Policies
Copyright © 2019, AFMC, Inc. 39
The security regulations require each health care provider to appoint a HIPAA security officer. Job duties include:
• Develop, implement and update security processes, policies and procedures
• Monitor electronic access to patient information including access levels and logins
• Work in conjunction with the privacy officer and HIPAA committee on training and breach investigation
• Monitor compliance with security policies and procedures
• Coordinate security risk assessments
• Prepare practice disaster recovery and business continuity plans for information systems
• Monitor changes in security technology and HIPAA regulations that will affect practice
Who is the security officer at your practice?
HIPAA Security Officer
Copyright © 2019, AFMC, Inc. 40
■ Computer screens at each workstation should be positioned so only authorized users at that workstation can read the display.
■ When stepping away from a computer, the user should log off (windows key + L).
■ Printers, copiers and fax devices should be located in a secure area and checked
often. Patient information should not be left unattended on these machines.
■ Visitors should be checked in and/or escorted through the facility and restrict visitors' access to patient information areas.
HIPAA Security Protections
Copyright © 2019, AFMC, Inc. 41
■ Access to electronic patient information is granted based on the need of your
job responsibilities
■ Keep mobile devices stored securely
■ Entrances should be monitored or locked for physical security
■ Text and instant message are not sure methods for PHI
■ Any employee observing or having knowledge of unauthorized access, use or
disclosure of patient information must report it to the security officer or privacy officer
HIPAA Security Protections
Copyright © 2019, AFMC, Inc. 42
■ Keep passwords confidential
■ Logins and passwords should never be written on a sticky note and placed on a monitor, keyboard, drawer or other visible location
■ Avoid maintaining a paper record of passwords
■ Do not use the same password for personal and business accounts
■ Change password at regular intervals and limit reusing old passwords
Protect Passwords
Copyright © 2019, AFMC, Inc. 43
■ If you think someone accessed your password, change it
■ Always change temporary passwords at first log on
■ Do not include passwords in any automated log-on process
■ Do not allow your computer to remember passwords for you
■ Immediately report anyone outside the practice asking for your password, even if they are a vendor
Protect Passwords
Copyright © 2019, AFMC, Inc. 44
■ Choose a strong password that is not easily guessed
■ The longer the better
■ Use an alphanumeric mix, upper and lower case, symbols
■ Don’t use content that people will know about you
■ Passwords should not consist of the data user’s name, spouse’s name, child or grandchild names, pet names, dates of special occasions (birthdays or anniversaries), famous peoples’ names and the like
Protect Passwords
Copyright © 2019, AFMC, Inc. 45
Password Helps
To make your password easy to remember, don't use a pass word. Use a pass
phrase. Use a quote, saying or verse.
■ No use crying over spilled milk – Nuc@sm!K
■ I’m a poor man – 1'm@p00rm@n
Take the first letter of each word and add some numbers and symbols. Then when you need to remember your password, sing a song (to yourself).
■ We all live in a yellow submarine – w@1i@ys
■ Mary had a little lamb – M@ryh@d@l1ttlel@mb
Copyright © 2019, AFMC, Inc. 46
■ Information that is transmitted via email is not secure!
■ When sending patient information to an email address outside of the practice, encrypt!
■ Contact IT for instructions
Email Use
Copyright © 2019, AFMC, Inc. 47
Cybersecurity
■ Keep antivirus and software updates current
■ Back up your data
■ Protect your mobile devices from theft
■ Do not allow strangers to use your devices
■ If emails look suspicious, ask your IT to review before clicking
Copyright © 2019, AFMC, Inc. 48
Copyright © 2019, AFMC, Inc.
Definition: The fraudulent practice of sending emails appearing to
be from reputable companies in order to induce individuals to
reveal personal information, such as passwords and credit card
numbers
Phishing
49
■ Be wary of emails from unknown sources seeking information.
■ Watch for emails from people you DO know, but the email address is not correct, or the subject doesn’t sound like that person.
■ Watch for misspelling or grammatically bad sentences.
■ Often, they are giving away a prize. If it sounds too good to be true, it is probably an attempt to get your information.
■ Even if the logos are correct from the sender, look for other phishing red flags.
Copyright © 2019, AFMC, Inc.
Phishing
50
Phishing
■ Hover over links before clicking – if the address changes or does not match the content of the email, it’s bad news
www.freegiftcard.com
■ Do not click on links in junk or spam emails
■ Do not open attachments or click on links from people you do not know
■ Do not enter personal information into forms
Copyright © 2019, AFMC, Inc. 51
You see something that looks like a computer security issue or problem
Your computer is not acting correctly, or you receive error messages that you have not seen before
You realize someone is using your password
You see a stranger on a computer
You notice equipment is missing
You get a suspicious email
Notify the Security Officer if …
Copyright © 2019, AFMC, Inc. 52
■ There’s no doubt that you will overhear private patient information as you do your day-to-day work.
■ As long as you keep it to yourself, you have nothing to worry about!
53
I Couldn’t Help Over Hearing
Copyright © 2019, AFMC, Inc.
■ You’ve already been practicing this in the past
■ All of your patient information is private and confidential
■ Even the fact that the patient is here for treatment is private and can not be told
■ A good rule to follow is:
• “If you learned it at your work, it is private and cannot be repeated!” -
The Privacy Golden Rule
54
Privacy and Security are Common Sense
Copyright © 2019, AFMC, Inc.
Copyright © 2019, AFMC, Inc.
HIPAA Training RequirementsTips for the Privacy and Security Officer
55
What do the Regulations Say?HIPAA Security Regulations
§ 164.308 Administrative safeguards. A covered entity or business associate must, in accordance with § 164.306:
(5)(i) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(A) Security reminders (Addressable). Periodic security updates.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
56Copyright © 2019, AFMC, Inc.
§ 164.530 Administrative requirements. (b)
(b)(1)Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
(2)Implementation specifications: Training.
(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
(A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and
(C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
57
What do the Regulations Say?HIPAA Privacy Regulations
Copyright © 2019, AFMC, Inc.
Frequency, Timeframes, Documentation
Training frequency and timeframes
Training should be conducted
■ as required,
■ upon initial hire,
■ annually, and
■ periodically.
Retention of training documentation is required and shall be maintained
for 6 years
58
Documentation of training must include:
■ date,
■ staff in attendance (including sign-in sheets),
■ method of training,
■ speaker,
■ content (including handouts),
■ location,
■ duration and
■ all other factors
Copyright © 2019, AFMC, Inc.
Specific Training
HIPAA requires employees to be trained on HIPAA for their specific job functions. If you perform the following, you need HIPAA additional training:
Copyright © 2019, AFMC, Inc.
Release of information
Information systems maintenance and oversight
Contracts/business associate agreements
Breach investigation and reporting
Patient complaints and requests for
• Amendment
• Alternate communications
• Accounting of disclosures
• Copies or inspection of records
• Restrictions and out-of-pocket requests
59
Suggested Content
Content of training should be relevant to HIPAA requirements, including:
■ Recognizing malicious software
■ Log-in protections
■ Password management
■ Practice policies
■ Governmental legislation (or changes to HIPAA)
■ Facility changes
■ Results of audits and reviews
■ Technology changes
■ Notice of threats and viruses
60Copyright © 2019, AFMC, Inc.
HIPAA Training Resources
Office of Civil Rights (OCR) continues to post notices of fines assigned to providers for failure to protect protected health information. To assist providers with training staff on HIPAA requirements, the Department of Health and Human Services (HHS) has published on its website the following recommended training materials:
Helping Entities Implement Privacy and Security Protections
http://www.hhs.gov/ocr/privacy/hipaa/understanding/training
61Copyright © 2019, AFMC, Inc.
HIPAA Training Resources
HealthIT.gov website points to a Guide to Privacy and Security of Electronic Health
Information, which provides a beginner's overview of what the HIPAA Rules require. The page also has links to security training, risk assessment tools and other aids.
Privacy and Security Challenge
https://www.healthit.gov/topic/privacy-security-and-hipaa/privacy-security-training-games
62Copyright © 2019, AFMC, Inc.
HIPAA Training Resources
HHS OCR cybersecurity newsletter is published monthly. Articles include content on hot topics in today’s ever-changing cyber world:
■ Articles from 2016 and 2017 can be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/cybersecurity-newsletter-archive/index.html
■ Articles from 2018 can be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
63Copyright © 2019, AFMC, Inc.
Questions
Copyright © 2019, AFMC, Inc. 64
email [email protected]
call 501-906-7511
online afmc.org/SRA
AFMC Security Risk Analysis
Copyright © 2019, AFMC, Inc. 65
See it? Hear it? Don’t tell it!