Basic HIPAA Training and Requirements - AFMC · 10/9/2019 · Certificate/license number Any...

Copyright © 2019, AFMC, Inc. 1

HIPAA

Security

EDI Transactions

& Code Sets

Privacy HITECH OMNIBUS

Basic HIPAA Training and Requirements

Mollie McCammon, RHIA, CHP

October 9, 2019

Today’s Presenter

Mollie McCammon, RHIA, CHP

AFMC – HIPAA Privacy and Security Policy Analyst


When patients are at your practice, you want them to feel

safe, protected and respected.

Keeping their patient information private will help you do that.

3

Protect Confidential Information

Copyright © 2019, AFMC, Inc.

■ Confidentiality has always been important in health care

■ But now there are federal laws that require us to provide specific training – these are called HIPAA

4

Why am I Getting Training on Patient Privacy?


5

Health

Insurance

Portability and

Accountability

Act of 1996HIPAA was passed by Congress and signed

into law by President Clinton

New Patient Rights Called HIPAA


6

HITECH - 2010 Omnibus – 2013

• Applies HIPAA rules to business associates –

subcontractors

• Enforcement – tiers and penalty structures for

violations

• Breach risk assessment factors and notification to

patients

• More specifics on use of PHI – marketing, selling,

fundraising, deceased, immunization records,

accounting of disclosures

• Updates to Notice of Privacy Practices content

• Increased patient rights – electronic copy, copy to

third party, out-of-pocket restriction

HIPAA Privacy - 2003 HIPAA Security - 2005

• Improve access to health insurance

• Privacy – protect the privacy of health care information

• Security – promote standardization of electronic health care-related records to improve and safeguard their use

• Electronic transactions – simplify claims processing

HIPAA/HITECH/Omnibus


7

Who Has to Follow HIPAA Rules?

ALL HEALTHCARE PROVIDERS

… as well as the employees, physicians, volunteers, students, vendors and others who work at and with these facilities!

■Hospitals

■Physician offices

■Nursing homes

■Pharmacies

■Rehab facilities

■Billing services

■Mental and substance facilities

■Ambulance services

■Home health agencies

■Health departments

■Health insurance providers


■ Anything that can be used to identify the patient

■ Anything about the patient’s past, present or future medical conditions and treatment

■ Includes billing and payment records for the treatment of health care services

■ Even the fact that the patient is a patient is private

PHI = protected health information

8

What Patient Information is Protected Information?


■Name

■Address (street, city, county, zip codes more than 3 digits)

■Dates related to patient-except year

■Ages greater than 89

■Telephone number

■Fax number

■Email addresses

■Social Security number

■Medical record number

■Health plan beneficiary number

■Account number

■Certificate/license number

■Any vehicle (VIN), license plate, serial number

■Device identifiers and serial numbers

■Web URL

■Internet protocol (IP) address

■Biometric – finger or voice prints

■Photographic images

■Any other unique identifying number, characteristic or code

9

164.514(a)(2)(i)(A-R)

Patient Identifiers (Applies to Patients, Families, Household Members, Employers)


■ There are several ways patient information can be shared:

• Spoken/oral

• Written/paper

• Electronic/computer

• Visual/eyes

■ All of these are protected under HIPAA

10

How is Protected Health Information Shared?


■ Federal penalties apply to both individuals and/or facilities for failure to comply with HIPAA requirements

■ Two types of penalties

• CRIMINAL penalties – up to 10 years in prison

• CIVIL penalties – see table on next slide

11

Why Comply With HIPAA? There are Federal Penalties


12

**The annual limit

is per year for

every year the

violation persisted.

Updated April 2019

Why Comply With HIPAA? Federal Penalties

Civil penalties


■ Besides federal penalties, your employer has a sanction policy which includes protecting patient privacy

■ If an employee violates patient confidentiality and privacy, the end result could be termination

13

Why Comply With HIPAA? Employer Penalties


14

HIPAA Privacy



Notice of Privacy Practices

Minimum Necessary

De-identification and Limited Data Set

Use and Disclosures

Right to Access

Request to Amend

Request to Restrict and Alternate

Communications

Request for Accounting of Disclosures

Faxing PHI

Policies covering multiple

standards:

HIPAA Implementation

and Oversight

HIPAA Training Policy

Sanction Policy

Breach Policy

Workforce Clearance

Business Associate Policy

HIPAA Privacy Policies

15

The privacy regulations require each health care organization to appoint a privacy officer. Job duties include:

■ Policies and procedures – develop, implement and update processes

■ Notice of Privacy Practices – establish, update and post the Notice of Privacy Practices

■ Patient complaints – contact person for patients who have privacy complaints and employees who have privacy concerns

■ HIPAA training – work in conjunction with the security officer and the HIPAA committee to provide HIPAA training to employees, students, volunteers

■ Breach – prepare and send breach notifications

■ Changes to HIPAA regulations – keep up with changes and implement

Who is the privacy officer at your practice?

16

HIPAA Privacy Officer


17

While we are taking care of our patients, HIPAA says we are allowed to use patient information for:

Treatment

Payment

Health care operations

(Often referred to as TPO)

If releasing patient information falls under one of these three categories, you do

not have to have a signed authorization from the patient to share the information.

164.506

When is it Appropriate to Use Patient Information


■ Communication between doctor and nurses, between practices, between the practice and other providers, between referring providers or care managers

■ Coordination of follow up

• Continued care coordination

• Making an appointment with a specialist

• Working with nursing home placement

• Referral to hospice care

• Arranging for medical equipment

• Arranging home care

18

HIPAA Definition of Treatment


The communication between the practice and the person or company who will be paying the practice. Communication will include functions such as:

■ Determining pre-eligibility and coverage

■ Sending bills and receiving payment on claims

■ Utilization review (ex: authorizing days or medical necessity)

■ Collection agency activities

■ Review of claims if disputed

19

HIPAA Definition of Payment


■ Quality measures

■ Improvement activities

■ Professional review

■ Health insurance contracting

■ Certain outside reviews (e.g. state health department or financial auditors)

■ Administrative business planning, development and management

20

HIPAA Definition of Health Care Operations


■ Public health – disease control, vital records

■ Product recalls

■ Reporting adverse reactions to medications

■ Reporting suspected abuse, neglect or domestic violence

■ Preventing or reducing a serious threat to patient health or safety

■ Government functions

■ State specific laws

21

164.512(a-l)

Other Requests for Patient Info: Required Reporting

Refer all these types of requests to the Privacy Officer


Patient authorization required

■ Request to send to a third party – life insurance

■ Request for records from attorney

■ Psychotherapy notes

■ Marketing

■ Research


Refer all these types of requests to the Privacy Officer

164.508(a)(1-4)

Other Requests for Patient Info: Patient Authorization

22

23

Verify identity

If you do not know the person who is asking for patient information, take steps to verify their identity

• Ask to see their driver’s license or identification badge

• Ask for the patient’s birth date, address, phone #

• Compare signatures

Verify authority

Once you know who they are, be sure they have the right to see patient information (question why they need the information or the purpose of the request)

Before talking to family members, ask the patient for permission

Precautions to Protect Patient Information


■ Only share the minimum patient information necessary for the request.

■ Cover patient information from public eyes.

■ Use the hold button on telephones or cover the mouthpiece of the phone when the caller is waiting.

■ Leave minimal information on patient voice mails.

■ Do not leave patient information unattended.

■ Visitors in the room – don’t assume you can discuss in front of them. Always ask the patient if it is OK to discuss or if the patient would like the visitors to step out.

24

If you are unsure about releasing information under TPO, required reporting

or patient authorization, check with the privacy officer

Other Precautions with Patient Information


25

Before you look at patient information on paper or on the computer or

before you ask someone about patient information,

ALWAYS ASK YOURSELF:

“Do I need to know this to do my job?”

If the answer is yes:

look at only the

information you need and

don’t share it unless it is

for the patient’s continued

care

If the answer is no:

STOP and don’t ask, don’t

listen and don’t look!

Should I Have Access to Patient Information?


■ Before putting papers in the trash can remember:

• Shred papers are to be shredded if there is a patient identifier or any confidential information on that paper.

• Destroy media in which patient information is stored. This includes CDs, hard drives, thumb drives and fax cartridges.

26

Where is the shred bin at your practice?

Even Our Trash is Private!


■ Patient information may be sent by fax only when urgently needed

for timely patient care or required for continuity of care

■ We should limit the amount of information we send by fax to what is absolutely necessary

■ Refer to your practice Fax Policy

27

Faxing Patient Information


■ Always use a cover page

■ Use preprogrammed fax numbers on fax machines when possible

■ Always double check the fax number before and after you send the fax

■ A confirmation page should print after the documents are sent

■ Keep the cover page and confirmation page with the medical record for documentation

28

Steps to Protecting PHI While Faxing


When releasing patient information, always document the following:

■ Who requested the information

■ What information was sent

■ Purpose or why it was needed

■ Who it was sent to

■ The date it was sent

■ The employee who sent it

29

Misdirected faxes must be reported to the privacy officer

Document, Document, Document


Patients have the right to request:

■ Access – inspect and obtain a copy of their medical record

■ Restriction of patient information, including out-of-pocket disclosures

■ Amendment to their medical record

■ Accounting of disclosures

■ Confidential communications

■ Receive a paper copy of the Notice of Privacy Practices

■ File a complaint

Patients know about these rights from the Notice of Privacy Practices

Talk to your privacy officer about

how to handle requests from patients and

the forms to use

30

Patient Rights Under HIPAA


■ Maintain the privacy of medical information

■ Provide patients with a copy of the Notice of Privacy Practices and abide by the terms

• Posted in common areas such as the waiting room

• Posted on practice website

• Given to all new patients

• Available to patients when they ask for it

■ Notify the patient if you are unable to agree to a restriction that they have requested

■ Accommodate reasonable requests from the patient regarding their medical information

31

Our Responsibilities to PATIENTS


■ As a health care employee, social media can get you in HIPAA trouble fast!

■ Do not take pictures of patients or PHI at work.

■ Patient relationships should remain professional.

■ Your town is much smaller than you think. As a health care provider, your words have power, and people think you learn everything at work.


Social Media

32

■ Don’t snoop, pry or gossip.

■ Only access patient information needed for your job duties.

■ Close curtains and doors. Knock before entering a patient room.

■ Double check paperwork before handing to the patient – correct names?

■ Keep your voice down. Do not discuss patient information in public areas (hallways, break rooms). Who is listening around you?

■ Do not allow family of patients or employees, visitors, or patients in your work area where patient information is kept.

■ Be sensitive. How would you want your patient information handled?

33

Our Responsibilities as Employees, Providers, Volunteers and Students


If I see a friend who is a patient or their family in the practice, parking lot or in public what should I do?

■ You can

• Say “hi” and make small talk with them.

• Be concerned for them. If they share with you why they are being treated or their medical condition, offer your empathy or concern.

• Ask if there is anything you can do. If they take you up on this and the job falls outside of your duties, be sure and pass that along to the appropriate person.

34

What Can I Say?


35

What Can I Say?

If I see a friend who is a patient or their family in the practice, parking lot or in public what should I do?

■ You cannot

• Talk amongst co-workers about seeing them or your conversation with them.

• Tell friends and family that you saw them or your conversations with them.

• Call another employee, look at the patient chart or look them up in the EHR to see why they are here.


■ I see something that looks like a privacy issue or problem?Talk to the HIPAA privacy officer.

■ A patient or family member complains to me about a privacy matter?Take steps to resolve the issue and pass it along to the privacy officer.

If you have any question at all about a privacy matter,

please let the privacy officer know!

36

What Do I Do If …?


HIPAA Security


Copyright © 2019 AFMC, Inc. All Rights Reserved. 38

Physical Safeguards

• Facility access controls

• Workstation use and security

• Device controls

o Tracking

o Data backup

o Disposal

Technical Safeguards

• Software access controls

• Encryption

• Audit controls

• Integrity of PHI

• Transmission of PHI security

Administrative Safeguards

• Risk analysis

• Assign security officer

• Workforce security precautions

• Limit electronic access

• Training

• Password management

• Incident procedures

• Contingency plans

• Business associate contracts

HIPAA Security Requirements

Identification and Authentication

Network Connectivity

Malicious Code

Encryption

Building Security

Telecommuting/Remote access

Removable Media

Mobile Devices and Phones

Retention and Destruction of Practice Information

Disposal and Reuse of Electronic Media

Change Management

Audit Controls

Information System Activity Review

Data Integrity

Contingency Plan

Security Management Process

Emergency Operation Procedures

HIPAA Security Policies


The security regulations require each health care provider to appoint a HIPAA security officer. Job duties include:

• Develop, implement and update security processes, policies and procedures

• Monitor electronic access to patient information including access levels and logins

• Work in conjunction with the privacy officer and HIPAA committee on training and breach investigation

• Monitor compliance with security policies and procedures

• Coordinate security risk assessments

• Prepare practice disaster recovery and business continuity plans for information systems

• Monitor changes in security technology and HIPAA regulations that will affect practice

Who is the security officer at your practice?

HIPAA Security Officer


■ Computer screens at each workstation should be positioned so only authorized users at that workstation can read the display.

■ When stepping away from a computer, the user should log off (windows key + L).

■ Printers, copiers and fax devices should be located in a secure area and checked

often. Patient information should not be left unattended on these machines.

■ Visitors should be checked in and/or escorted through the facility and restrict visitors' access to patient information areas.

HIPAA Security Protections


■ Access to electronic patient information is granted based on the need of your

job responsibilities

■ Keep mobile devices stored securely

■ Entrances should be monitored or locked for physical security

■ Text and instant message are not sure methods for PHI

■ Any employee observing or having knowledge of unauthorized access, use or

disclosure of patient information must report it to the security officer or privacy officer

HIPAA Security Protections


■ Keep passwords confidential

■ Logins and passwords should never be written on a sticky note and placed on a monitor, keyboard, drawer or other visible location

■ Avoid maintaining a paper record of passwords

■ Do not use the same password for personal and business accounts

■ Change password at regular intervals and limit reusing old passwords

Protect Passwords


■ If you think someone accessed your password, change it

■ Always change temporary passwords at first log on

■ Do not include passwords in any automated log-on process

■ Do not allow your computer to remember passwords for you

■ Immediately report anyone outside the practice asking for your password, even if they are a vendor

Protect Passwords


■ Choose a strong password that is not easily guessed

■ The longer the better

■ Use an alphanumeric mix, upper and lower case, symbols

■ Don’t use content that people will know about you

■ Passwords should not consist of the data user’s name, spouse’s name, child or grandchild names, pet names, dates of special occasions (birthdays or anniversaries), famous peoples’ names and the like

Protect Passwords


Password Helps

To make your password easy to remember, don't use a pass word. Use a pass

phrase. Use a quote, saying or verse.

■ No use crying over spilled milk – Nuc@sm!K

■ I’m a poor man – 1'm@p00rm@n

Take the first letter of each word and add some numbers and symbols. Then when you need to remember your password, sing a song (to yourself).

■ We all live in a yellow submarine – w@1i@ys

■ Mary had a little lamb – M@ryh@d@l1ttlel@mb


■ Information that is transmitted via email is not secure!

■ When sending patient information to an email address outside of the practice, encrypt!

■ Contact IT for instructions

Email Use


Cybersecurity

■ Keep antivirus and software updates current

■ Back up your data

■ Protect your mobile devices from theft

■ Do not allow strangers to use your devices

■ If emails look suspicious, ask your IT to review before clicking



Definition: The fraudulent practice of sending emails appearing to

be from reputable companies in order to induce individuals to

reveal personal information, such as passwords and credit card

numbers

Phishing

49

■ Be wary of emails from unknown sources seeking information.

■ Watch for emails from people you DO know, but the email address is not correct, or the subject doesn’t sound like that person.

■ Watch for misspelling or grammatically bad sentences.

■ Often, they are giving away a prize. If it sounds too good to be true, it is probably an attempt to get your information.

■ Even if the logos are correct from the sender, look for other phishing red flags.


Phishing

50

Phishing

■ Hover over links before clicking – if the address changes or does not match the content of the email, it’s bad news

www.freegiftcard.com

■ Do not click on links in junk or spam emails

■ Do not open attachments or click on links from people you do not know

■ Do not enter personal information into forms


You see something that looks like a computer security issue or problem

Your computer is not acting correctly, or you receive error messages that you have not seen before

You realize someone is using your password

You see a stranger on a computer

You notice equipment is missing

You get a suspicious email

Notify the Security Officer if …


■ There’s no doubt that you will overhear private patient information as you do your day-to-day work.

■ As long as you keep it to yourself, you have nothing to worry about!

53

I Couldn’t Help Over Hearing


■ You’ve already been practicing this in the past

■ All of your patient information is private and confidential

■ Even the fact that the patient is here for treatment is private and can not be told

■ A good rule to follow is:

• “If you learned it at your work, it is private and cannot be repeated!” -

The Privacy Golden Rule

54

Privacy and Security are Common Sense



HIPAA Training RequirementsTips for the Privacy and Security Officer

55

What do the Regulations Say?HIPAA Security Regulations

§ 164.308 Administrative safeguards. A covered entity or business associate must, in accordance with § 164.306:

(5)(i) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

(A) Security reminders (Addressable). Periodic security updates.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

56Copyright © 2019, AFMC, Inc.

§ 164.530 Administrative requirements. (b)

(b)(1)Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2)Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

57

What do the Regulations Say?HIPAA Privacy Regulations


Frequency, Timeframes, Documentation

Training frequency and timeframes

Training should be conducted

■ as required,

■ upon initial hire,

■ annually, and

■ periodically.

Retention of training documentation is required and shall be maintained

for 6 years

58

Documentation of training must include:

■ date,

■ staff in attendance (including sign-in sheets),

■ method of training,

■ speaker,

■ content (including handouts),

■ location,

■ duration and

■ all other factors


Specific Training

HIPAA requires employees to be trained on HIPAA for their specific job functions. If you perform the following, you need HIPAA additional training:


Release of information

Information systems maintenance and oversight

Contracts/business associate agreements

Breach investigation and reporting

Patient complaints and requests for

• Amendment

• Alternate communications

• Accounting of disclosures

• Copies or inspection of records

• Restrictions and out-of-pocket requests

59

Suggested Content

Content of training should be relevant to HIPAA requirements, including:

■ Recognizing malicious software

■ Log-in protections

■ Password management

■ Practice policies

■ Governmental legislation (or changes to HIPAA)

■ Facility changes

■ Results of audits and reviews

■ Technology changes

■ Notice of threats and viruses


HIPAA Training Resources

Office of Civil Rights (OCR) continues to post notices of fines assigned to providers for failure to protect protected health information. To assist providers with training staff on HIPAA requirements, the Department of Health and Human Services (HHS) has published on its website the following recommended training materials:

Helping Entities Implement Privacy and Security Protections

http://www.hhs.gov/ocr/privacy/hipaa/understanding/training



HealthIT.gov website points to a Guide to Privacy and Security of Electronic Health

Information, which provides a beginner's overview of what the HIPAA Rules require. The page also has links to security training, risk assessment tools and other aids.

Privacy and Security Challenge

https://www.healthit.gov/topic/privacy-security-and-hipaa/privacy-security-training-games



HHS OCR cybersecurity newsletter is published monthly. Articles include content on hot topics in today’s ever-changing cyber world:

■ Articles from 2016 and 2017 can be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/cybersecurity-newsletter-archive/index.html

■ Articles from 2018 can be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html


Questions


email [email protected]

call 501-906-7511

online afmc.org/SRA

AFMC Security Risk Analysis


See it? Hear it? Don’t tell it!

Basic HIPAA Training and Requirements - AFMC · 10/9/2019 · Certificate/license number Any...

Documents

Transcript of Basic HIPAA Training and Requirements - AFMC · 10/9/2019 · Certificate/license number Any...