1 of 50

HIPAA Compliance Training Presentation

2 of 50

Introduction to HIPAA

HIPAA is the Health Insurance Portability and Accountability Act

The law was signed in August of 1996

HIPAA regulations directly cover three basic groups of individual or corporate entities
Health Plans, HealthCare Providers, and HealthCare Clearinghouse

HIPAA was intended to

Improve fraud and abuse protections
Improve administrative efficiencies
Ensure privacy, security & confidentiality of protected health information (PHI)
Support the portability of health insurance

OCR

Office of Civil Rights (Enforces the Privacy Rules)

3 of 50

Key Concepts and Terms

Protected Health Information
Use and Disclosure
Notice and Acknowledgement
Authorization
Covered Entity
Workforce
Business Associate
Personal Representative
Minimum necessary
Treatment, Payment, or Operations

All government regulations contain their own specialized vocabulary. The privacy and security provisions are loaded with terms HIPAA defines in its own peculiar way. After reviewing the terms listed above we will examine each one in detail.

Among HIPAA’s key terms and concepts are:

Protected health information
Use of information – which is defined separately from disclosure of information
The Notice of Privacy Practices and the patient's acknowledgement of receiving the notice
Authorization of certain uses and disclosures of protected health information
Covered Entity which is a Health Plan, Clearinghouse or any Healthcare Provider that transmits PHI electronically
Rules for sharing information with business associates
A unique definition of a medical practice’s workforce
The designation and authority of a patient’s personal representative
The application of the minimum necessary standard to the use and disclosure of information
TPO is referred to many times throughout the regulations because discloser of PHI doesn’t apply when it is for the Treatment, Payment or Operations of the practice

4 of 50

Protected Health Information

General definition

Information that identifies an individual and describes his/her medical condition or treatment

Specifically includes

Clinical information
Information on payment
Basic demographic information
Name, address, and telephone number

Applies to written and electronic information

HIPAA’s privacy requirements apply to all protected health information, or “PHI” as it sometimes is called.

PHI includes virtually all information that identifies an individual and describes his or her medical condition.

This includes clinical information in the patient’s medical records such as the patient’s medical history, X-Rays, results of physical examinations, laboratory and other diagnostic test results.

It also includes payment information such as billing records and claim forms. Even basic demographic information such as the patient’s date of birth and sex is included, as is the patient’s name, address, and telephone number. In short, if information describes a patient or could be used to identify the patient, it is protected under HIPAA!

The HIPAA privacy requirements apply to information in any form. They apply to written records, information stored electronically on computer systems, and information transmitted electronically to insurers or other providers.

5 of 50

Use and Disclosure

Information is used by Team Members for

Collection of information by clinical staff
Review of patient charts by clinical staff
Completion of billing forms by clerical staff
Accounting and bookkeeping entries

Information is disclosed when it is shared with others

Transmission of information to a health plan
Transmission of information to a billing service
Transmission of prescriptions to a pharmacy
Consultation with an independent provider
Reporting to government agencies (Mandated)

HIPAA regulations, as well as our medical practice’s policies and procedures, refer frequently to use and disclosure of a patient’s information.

What’s the difference between use and disclosure? When one of us uses information within the medical practice itself, that is a “use” of information according to HIPAA. But if we were to divulge the same information to a party outside the medical facility or our facility, that would be a “disclosure,” according to HIPAA.

Examples of use include:

the collection of information and the review of medical records by members of our staff, the completion of billing forms by our staff, and
the routine updating of our accounting and record-keeping systems.

On the other hand, examples of disclosure include:

transmission of patient information to a health plan, a billing service, a pharmacy or another provider, and reporting patient information to government agencies which Federal, state and local laws may require our medical practice to disclose or report information about patients. Examples include:
Reporting certain injuries or wounds to law enforcement agencies, Reporting crimes, Complying with investigations of fraud and abuse
Reporting infectious diseases and vital events to public health authorities, Reporting suspected abuse, neglect or domestic violence
Permitting inspection of records by licensing and regulatory agencies, Disclosing information as part of legal proceedings. These disclosures should only be made by those of us who are familiar with the legal mandate and the procedures for complying with such requests.

6 of 50

Notice and Acknowledgement

Notice of Privacy Practices

A statement given to each patient describing how our physicians will use and disclose health information and outlining the patient’s rights under HIPAA

Acknowledgement

Written documentation that the notice was provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it

The Notice of Privacy Practices is the primary vehicle HIPAA created for telling patients how there provider will use their medical information.

The Notice also describes the rights of patients to authorize certain uses and disclosures of information, to request an accounting of certain uses and disclosures, to inspect their own records, and to request corrections in information, and advise the patient that they can place a restriction on the use of their PHI.

HIPAA requires us to give the Notice to every patient when they first visit the medical practice. We are required to make what HIPAA calls a “Good Faith Effort” to obtain a written acknowledgement from the patient that he or she has been given a copy of the Notice.

The Notice of Privacy Practices is the tool we use to make sure our patients understand how their information will be used and shared with others. It also informs patients of the rights that HIPAA gives them, including:

the right to authorize certain uses and disclosures of their information
the right to request an accounting of the people and organizations to whom we have sent their information,
the right to inspect their own records and obtain copies of information contained in their records, and
the right to request corrections in their records if they feel they contain errors.

7 of 50

Authorization

Medical/clinical research

Investigational treatment
Research protocols
Exception for “de-identified” data

Marketing

Promoting third-party products/services
Providing mailing lists to others

Other uses and disclosures except

For treatment, payment, health care operations
To comply with legal mandates

An early version of HIPAA would have required us to obtain a patient’s consent before we could use or disclose any of their protected health information – even when it was needed to treat them, or get reimbursed for their care, or for most of our everyday activities that involve patient information. But that requirement was removed in the current version of HIPAA.

Still, we are required to verify the provider has obtained a patient’s authorization to use or disclose their protected health information for a purpose other than treatment, payment, or to support the health care operations of the practice.

Examples of use and disclosure that require authorization are employers, research studies and the sale of mailing lists to other organizations.

An authorization must identify the information to be disclosed or used , how the information will be used, and who will use it. The authorization must be signed by the patient or by the patient’s representative if the patient is unable to sign it.

If information is released without the patient’s authorization this may be considered a violation of the patient’s Civil Rights.

We’re allowed to use and disclose a patient’s medical information for several purposes that don’t require prior authorization by the patient. These include:

Treating the patient
Obtaining payment from the patient’s health plan
Releasing records to physicians involved in the patient’s current treatment
Supporting the day-to-day operations of our medical practice, and
Complying with legally mandated reporting or disclosure.

Again, HIPAA does not require us to get a patient’s authorization to use their information for any of these purposes.

8 of 50

Covered Entity

A covered entity

A health plan
A health care clearinghouse
A health care provider that conducts certain health care transactions electronically

9 of 50

Workforce

Members of the medical practice
Employees of the medical practice
Independent contractors we hire

10 of 50

Business Associate

An entity that performs services �for the physician
Examples:

Management Services (Oncure)
Billing services
Accreditation agencies

New Breach Notification Rule

Requires the BA to report any breach of PHI to the CE within 60 days of of the discovery of the breach

Generally speaking, a “business associate” is any person or organization that performs services for a medical provider.

Business associates include billing services and other organizations or people that create, receive, or process health information we are responsible under HIPAA to protect. Accreditation agencies, that may need to review patient information during a survey, are also business associates.

Just as we must ensure that the medical practice complies with HIPAA, we also must obtain what HIPAA calls “satisfactory assurances” from our business associates that they also will comply with all of HIPAA’s safeguards for protected health information. New Breach Notification Rule issued by the Department of Health and Human Services in August of 2009 requires that BA’s follow the same rules for notification as the CE. This presentation will go further into details once we talk about disclosures.

11 of 50

Personal Representative

A person who can act on behalf of the patient
Must have legal authority to act �on the patient’s behalf
A personal representative may:

Acknowledge the Notice of Privacy Practices
Authorize use and disclosure of information
Request and receive an accounting of use and disclosure
Request amendment of health information

12 of 50

Minimum necessary

HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose
Examples:

Any information requested for treatment
Any information in a standard transaction
Information required by administrative task
Information specified in request from government agencies such as

Law enforcement officials
Regulatory officials
Subpoena or court order

13 of 50

Quiz 1: Key Concepts

Does protected health information includes the patient’s name, address, and basic demographic information?
Do privacy protections apply to both information recorded on paper and information stored electronically?
Can a family member or close personal friend act as the representative of the patient?
Is a business associate contract required only for those business associates who create, receive or process protected health information?

14 of 50

A Hypothetical Case History

The privacy regulation in action: �An overview

15 of 50

A Hypothetical Case History

New Patient Flow Process
Claim prepared and submitted to health plan
Newsletter sent to patients of the practice
Mailing list requested by local pharmacy
Disclosure Log
Access to PHI
Amendment to PHI

16 of 50

New Patient Flow Process

Making an appointment

Collect basic patient information

Name
Telephone number
Health plan
Advise the patient to bring a photo ID, or other documentation that will show current address

Patient Arrival

Patient receives a Registration, Privacy Notice and the Acknowledgement of Notice

Original acknowledgement is placed in the chart
If the patient refuses or is unable to sign then use the “Good Faith Efforts” form to document why you were unable to obtain the acknowledgement
Validate the documentation that identifies the patient and the current address

Patient is asked to sign-in on the wait list

When a person or referring MD office calls the treatment center to make an appointment, we can collect basic information including the person’s name, health plan, address and telephone number, request the patient bring a photo ID at the first appointment. This information – because it identifies the patient – is protected by the privacy rules, but we’re still allowed to collect and use it to schedule an appointment even though the patient has not yet received the Notice of Privacy.

On the day of the appointment, the patient arrives, completes the registration paperwork, match the photo ID with the patient, or other documentation showing current residence, initial and date the registration paperwork, and ask the patient to sign in on the waiting list. This paperwork includes, a copy of our Notice of Privacy Practices. The Team Member checking in the patient should attempt to get a signed acknowledgement from the patient indicating that he or she has read the Notice of Privacy Practices. If you are unable to get a signed acknowledgement remember to complete the Good Faith Efforts documentation.

Signing-in on the wait list and having the patients named called out in the waiting room is not a violation of the privacy rules.

17 of 50

Claim Submission

Format changes from the standard HCFA 1500 to ASC X12N 837.
Referring doctors changed from UPIN to NPI
Disclosure of information to health plan

Does not require patient authorization
Does not violate privacy rules

18 of 50

Mailing lists

Must have patient’s permission to sell or provide mailing lists to other organizations

19 of 50

Disclosure Log

This form is kept in the patient’s chart with other registration information.
New rules will soon require that we have an electronic record of all disclosures
The patient is allowed to ask you for a copy of this Disclosure Log every 12 months for free
Must retain this log for 6 years and be able to retrieve a copy within 3 days in CA and 30 days in FL if requested.

20 of 50

Patient Access to PHI

The patient must request to see the chart in writing. You must respond to request within 30 days.
An appointment must be made to see the chart. Patient must not be left alone with the chart EVER. Do not allow the patient the ability to alter the record.
You may provide the patient with a summary of the chart if patient agrees to this format.
The Physician can deny access if he/she feels it is not in the patients best interest to see the contents of the chart.
If denied access, complete the denial letter and mail to the patient placing a copy in the patient’s chart.

21 of 50

Request For Amendment to PHI

Patient may request that the records be amended. Patient must request the amendment in writing.
If amendment request is denied you must notify the patient using the “Request for Amendment Denial” letter.
Mail the original to the patient. Place a copy in the chart.
Patient may submit their own 250 words or less addendum, to be placed in the chart.
Patient may file a disagreement with DHHS.

22 of 50

Quiz 2: Access and Amendment

Can a patient examine his or her medical information?
Can a patient obtain a copy of information in his or her medical chart?
Do patients have to request information from their records in writing?
Can patients change information in their medical records?

Time for a quiz on patients’ rights to examine and amend information.

Can a patient examine his or her medical chart or other information we keep here?

Yes. The only restrictions involve psychotherapy notes and information that we feel may place the patient or another person in jeopardy.

Can a patient obtain a copy of information in his or her medical chart?

Yes. We’re obliged to allow the patient to make copies of information contained in his or her records. But we’re allowed to charge for the copies.

Do patients have to request information from their records in writing?

Yes. We’re allowed to require patients to request information in writing. We also have the latitude to accept spoken requests, but that’s completely up to us.

Can patients change information in their medical records?

No. A patient may request changes in their records, but we aren’t required to make those changes unless we agree that the information in question is incorrect.

23 of 50

Content of Authorization

Authorization must…

Identify the information to be used or disclosed
Identify users/persons to whom disclosed
Identify purposes of use or disclosure
Note the potential for redisclosure

Conditioning treatment on authorization

Treatment available only to research subjects
Treatment requested by the patient for disclosure

Authorization may signed by…

Patient, or
Patient representative

When we’re required to obtain a patient’s authorization for the use or disclosure of information, the authorization itself must:

Identify the specific information that we will make use of
Identify the people or organizations that will use and/or receive the information
Identify the specific purposes to which the information will be put
And the authorization must note that any information disclosed to another organization may not be protected by federal privacy standards and may be re-disclosed

We generally cannot make authorization a condition of treatment. That is, we cannot say to a patient that he or she won’t be treated unless they authorize us to use their information.

But there are two important exceptions to this rule.

If a treatment is available only to patients who participate in a research study, we can require authorization to use their information in the study.

This exception generally applies to experimental treatment, and not to treatment that is also available to patients who do not participate in the study. In other words, we couldn’t coerce a patient into participating in a research study by refusing to provide the same treatment apart from the study.

But we are allowed to refuse to treat a patient or provide a service if we do not receive authorization to release information to the organization whose request prompted the request for the treatment or service.

What does that mean? We can require a parent to authorize disclosure of the results of a camp, school, or sports physical when that is the purpose of the visit.

An authorization may be signed by either the patient, or the patient’s representative.

24 of 50

Obtaining Authorization

Review authorization form with patient

What information will be used
What the information will be used for
Who will use the information

Note the potential for re-disclosure
Obtain patient/representative signature
File authorization form in records

The authorization form we use should be reviewed with the patient.

Any questions concerning the specific information to be used, the uses to which the information will be put, or the individuals and organization who will be given the information should be addressed.

The potential for re-disclosure should be discussed. In a nutshell, information disclosed to a third party may not be protected by the federal privacy regulations. If the information will be protected from further re-disclosure, the authorization should note these protections. Where no protections can be assured, the potential for re-disclosure should be clearly noted.

The patient or patient representative should sign and date the authorization form, and should be given a copy. The original should be filed in keeping with our policies and procedures.

25 of 50

Sample-Medical Release of Information Form

Authorization to Receive or Release Medical Information
(Please fill out completely; incomplete forms may delay processing)
Explanation
This authorization to receive or release medical information is being requested of you to comply with the terms of the “Authorization I hereby authorize Radiation Oncology Medical Group to furnish to:
(name of physician, hospital or healthcare provider)
address of physician, hospital or healthcare provider)
medical records and information pertaining to medical history, mental or physical condition, services rendered, or treatment for:
(Name of Patient) (Social Security Number) (Date of Birth)
3. I understand that I have the right to limit the type of information to be released. I have indicated below the information which is authorized for release:
All medical information, without exception, including information regarding AIDS and AIDS testing, psychological or psychiatric treatment and drug or alcohol abuse. This includes doctor’s notes, labs, x-ray and other diagnostic tests.
All the medical information except the following:
Only the following information:
Uses
This information supplied is to be used for the following purpose's): _________________________________.
Duration
This authorization shall become effective immediately and shall remain in effect until (date).
6. Restrictions
I understand that the recipient may not further use or disclose the medical information unless another authorization is obtained from me or unless such use or disclosure is specifically required or permitted by law.
8. Additional Copy
I understand that I have a right to receive a copy of this authorization.
Copy requested and provided:  yes  no
I hereby release all parties from any/all legal liability that may arise from the release of this information to the party named above (San Diego Sports Medicine & Orthopedic Center reserves the right to charge for copies of medical records.)

26 of 50

Quiz 3: Authorization

Is an authorization needed if a patient has signed a consent to participate in a research program?
Does an authorization have to specify the information to be disclosed and the purpose of the disclosure?
Does an authorization have to identify who will use or receive the information?
Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study?
Does a patient have to authorize disclosure of information to himself or herself or to a spouse?

Question-and-answer time again ...

Is an authorization needed if a patient has signed a consent to participate in a research program?

Yes. A consent to participate in a research study does not, in itself, let us use the patient’s information in the study. The federal regulations require us to have the patient sign a specific authorization for the use and disclosure of information in the research study in addition to any consent to participate in the study.

Does the authorization the patient signs have to specify the information to be disclosed and the purpose of the disclosure?

Yes. The authorization cannot simply give us blanket permission to use or disclose any information contained in the patient’s records.

Does an authorization have to identify who will use or receive the information?

Yes. The authorization must identify the persons or organizations that will be responsible for disclosing the information as well as the persons or organizations that will receive the information.

Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study?

Yes, but only experimental treatment. We may not refuse treatment that also is available outside the research study simply because the patient won’t authorize use of his or her information in the study.

Does a patient have to authorize disclosure of information to himself or herself or to a spouse?

No. Disclosure of information directly to a patient or a spouse does not require authorization.

27 of 50

Use and Disclosure of PHI

Informing patients of certain uses and disclosures of protected health information

28 of 50

Legally Mandated Disclosures

Police and Law Enforcement
Public Health Reporting

Reportable infectious diseases
Vital events (birth and death)

Abuse and Neglect Reporting
Licensing and regulatory oversight
Legal proceedings

Federal, state and local laws may require our medical practice to disclose or report information about patients.

HIPAA allows us to comply with these requests for information. It may be necessary, however, to inform the patient that information has been disclosed.

Examples of mandated disclosure include:

Reporting certain injuries or wounds to law enforcement agencies
Reporting crimes
Complying with investigations of fraud and abuse
Reporting infectious diseases and vital events to public health authorities
Reporting suspected abuse, neglect or domestic violence
Permitting inspection of records by licensing and regulatory agencies
Disclosing information as part of legal proceedings

These disclosures should only be made by those of us who are familiar with the legal mandate and the procedures for complying with such requests.

29 of 50

Incidental Disclosures

Examples of incidental disclosure

An overheard conversation among staff members
An overheard discussion between staff and patients
An overheard telephone call to a patient
Test results being filed in patient records

Incidental disclosures are permitted…�…but should be avoided

Incidental disclosures need not be documented

Try to minimize incidental disclosures!

Conduct discussions in private areas
Limit discussion when others are present

It’s inevitable that some of us will, in the course of going about our work, unwillingly disclose some information about our patients.

It could take the form of a conversation overheard by another staff member, a vendor, or a patient.

A telephone call to a patient to communicate test results might be overheard, or test results might be left where they can be seen by unauthorized persons.

HIPAA recognizes that these kinds of disclosures will occur, and cuts us a bit of a break in this regard. Incidental disclosures like these do not violate HIPAA, and we are not required to document them.

We must, however, make every effort to minimize these kinds of disclosures.

Discussions should be conducted in private areas, particularly those that involve more than isolated bits of information about a patient.

We also should avoid conversations about any patient with anyone, or within hearing range of anyone who isn’t involved in that patient’s care.

30 of 50

Disclosures to Family Members

Disclosure is permitted…

To spouses
To parents and legal guardians
To others involved in care

Obtaining patient’s permission

When patient is able to object
When patient is not able to object

Allows sharing of Information related to the patient’s care

The treatment of a patient frequently involves the participation of family members. Dietary restrictions, for example, may need to be understood by the person who generally does the shopping and cooks meals. Parents are nearly always intimately involved in the care of their children.

HIPAA allows us to disclose protected health information to spouses, parents, legal guardians and others involved in a patient’s care without obtaining the patient’s formal, written permission.

We still should make sure the patient is given a chance to object to the disclosure of information to family members or others. This opportunity can be as simple as asking the patient if he or she has any objection. In fact, we’re allowed to assume there’s no objection if the patient is present while we discuss the case with a relative and the patient says nothing about it.

If the patient cannot be consulted on this issue, the patient’s representative should be consulted.

Where parents and legal guardians are concerned, state and local laws often determine the conditions under which information can be disclosed.

31 of 50

Breach Notification Rules

Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) along with HHS as part of the American Recovery and Reinvestment Act of 2009 contains a series of laws that have expanded privacy and security aspect of HIPAA. These rules were published by HHS on August 24, 2009.

Breach Reporting Obligations
Risk of Harm Standard
Notice Requirements
Methods of Securing PHI
Policies and Procedures

On August 24, 2009 the HHS published regulations clarifying the breach reporting obligations and providing guidance on the meaning of “secured” and “unsecured” PHI. Covered Entities and Business Associates are required to report breaches that are discovered after September 23, 2009.

In the event of a breach of unsecured data, many steps needs to be taken by the CE including a Risk Assessment will be conducted to determine if the risk poses a significant risk of financial, reputational, or other harm to the individual, and based on the results of the assessment will determine whether it is necessary to notify the individual of the breach. The following factors should be considered during the risk assessment: Nature of the Data Elements Breached, Likelihood the information is accessible and usable, Likelihood the breach may lead to harm and the ability of the entity to mitigate the risk of harm.

Notice must be made to the affected individuals “without reasonable delay and in no case later than 60 calendar days after discovery of a breach”. The notice shall be made in writing, except under circumstances where the CE does not have the correct contact information of the individual, or where there is particular urgency to the notification. Notice must contain the following: A brief description of what occurred including dates of the breach and discovery of the breach. A description of the types of unsecured PHI that were disclosed during the breach. A description of the steps the individual should take to protect himself or herself from potential harm caused by the breach. A description of investigation the CE has taken to mitigate the breach and to prevent future breaches. Instructions for the individual to contact the CE. If the breach of unsecured PHI involves more than 500 patients of the state the CE must notify media outlets within that state as well as the Secretary within 60 days of the discovery of the breach. If the breach is less than 500 individuals, the CE shall create a log documenting the breach, and must be sent to the Secretary within 60 days after the end of each calendar year. If the breach occurs at or through a BA the BA must notify the CE of the breach within 60 of discovery so that the CE is able to comply with its breach reporting obligations.

The secretary released guidance that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Some of these methodologies include Encryption, and Destruction of PHI. Simple access controls may render the PHI inaccessible to unauthorized individuals, but don’t render the PHI unusable, unreadable, or indecipherable to unauthorized individuals, thus constitute unsecured PHI for which breach notification is required.

It is the responsibility of the CE and BA to have policy and procedures to comply with the HITECH reporting obligations. The policy and procedures must include: Training of all members of the workforce, Sanctions for the members of the workforce that don’t comply with the policy and procedures. A process by which the individuals can make a complaint regarding the entity’s compliance with the breach reporting rules. Prohibition on retaliation against individuals who exercise a right, or file a compliant.

Civil monetary penalties for noncompliance can range from $100 ti $50,000 per violation. The maximum penalties that can be applied for additional violations in any one year are within a range of $25,000 to $1,5000.000.

32 of 50

On August 24, 2009 the HHS published regulations clarifying the breach reporting obligations and providing guidance on the meaning of “secured” and “unsecured” PHI. Covered Entities and Business Associates are required to report breaches that are discovered after September 23, 2009.
In the event of a breach of unsecured data, many steps needs to be taken by the CE including a Risk Assessment will be conducted to determine if the risk poses a significant risk of financial, reputational, or other harm to the individual, and based on the results of the assessment will determine whether it is necessary to notify the individual of the breach. The following factors should be considered during the risk assessment: Nature of the Data Elements Breached, Likelihood the information is accessible and usable, Likelihood the breach may lead to harm and the ability of the entity to mitigate the risk of harm.
Notice must be made to the affected individuals “without reasonable delay and in no case later than 60 calendar days after discovery of a breach”. The notice shall be made in writing, except under circumstances where the CE does not have the correct contact information of the individual, or where there is particular urgency to the notification. Notice must contain the following: A brief description of what occurred including dates of the breach and discovery of the breach. A description of the types of unsecured PHI that were disclosed during the breach. A description of the steps the individual should take to protect himself or herself from potential harm caused by the breach. A description of investigation the CE has taken to mitigate the breach and to prevent future breaches. Instructions for the individual to contact the CE. If the breach of unsecured PHI involves more than 500 patients of the state the CE must notify media outlets within that state as well as the Secretary within 60 days of the discovery of the breach. If the breach is less than 500 individuals, the CE shall create a log documenting the breach, and must be sent to the Secretary within 60 days after the end of each calendar year. If the breach occurs at or through a BA the BA must notify the CE of the breach within 60 of discovery so that the CE is able to comply with its breach reporting obligations.
The secretary released guidance that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Some of these methodologies include Encryption, and Destruction of PHI. Simple access controls may render the PHI inaccessible to unauthorized individuals, but don’t render the PHI unusable, unreadable, or indecipherable to unauthorized individuals, thus constitute unsecured PHI for which breach notification is required.
It is the responsibility of the CE and BA to have policy and procedures to comply with the HITECH reporting obligations. The policy and procedures must include: Training of all members of the workforce, Sanctions for the members of the workforce that don’t comply with the policy and procedures. A process by which the individuals can make a complaint regarding the entity’s compliance with the breach reporting rules. Prohibition on retaliation against individuals who exercise a right, or file a compliant.

Civil monetary penalties for noncompliance can range from $100 ti $50,000 per violation. The maximum penalties that can be applied for additional violations in any one year are within a range of $25,000 to $1,5000.000.

33 of 50

Quiz 4: Using & Disclosure of Information

Are there any limits on the use or disclosure of patient information for the purpose of treatment?
Does a patient have to authorize the disclosure of information to a health plan?
Does a patient have to authorize disclosure of information to law enforcement agencies?
Does HIPAA prevent us from complying with state-mandated disease reporting, e.g., for infectious diseases?
Can we use patient information for any purpose without obtaining the patient’s authorization?

OK, time for another quiz.

First question: are there any limits on the use or disclosure of patient information for the purpose of treatment?

No. Any information a health care provider feels is necessary for diagnosis or treatment may be used and disclosed to other providers involved in the patient’s care.

Does a patient have to authorize the disclosure of their information to their health plan?

No. We can disclose information to the patient’s health plan or to a credit card company for the purpose of obtaining payment. The information that may be disclosed is limited by the minimum necessary standard, however.

Does a patient have to authorize disclosure of information to law enforcement agencies?

No. Legally mandated disclosure does not require the patient’s permission. We may, however, have to inform the patient of the disclosure. The best practice is to refer requests from law enforcement agencies to Teri Duncan Oncure Medical Corp. Director of Compliance.

Does HIPAA prevent us from complying with state-mandated disease reporting? For the purpose of tracking infectious diseases, for example?

Reporting of communicable diseases and vital events specified by law does not require the patient’s authorization. The patient may need to be informed of the disclosure, however.

Are we limited in the uses we can make of patient information without obtaining the patient’s authorization?

Yes. We can only use or disclose information without the patient’s authorization for the purposes of treatment, payment and health care operations – or to comply with legally mandated disclosures and reporting. Any other use or disclosure must be authorized by the patient.

34 of 50

Information Security

Staff responsibilities for keeping information secure

35 of 50

Overview

The basic concepts of security
The responsibility for security
Threats to security
Security protections
What you can do

36 of 50

Security Basics

Two aspects of security

Preventing unauthorized access/disclosure
Preventing loss of information

Scope of security concerns

Securing electronic information
Securing paper records

Security has two aspects, according to HIPAA.

One aspect is preventing unauthorized access or disclosure of information. In other words, security means making sure protected health information doesn’t fall into the possession of people who don’t have a legitimate or approved need for it.

The second aspect of security involves preventing the unintended loss or destruction of information.

Discussions of security often focus exclusively on electronic information. Complex information systems, particularly when connected to networks, are often vulnerable to attack. We know there’s a danger that unauthorized persons, either inside or outside our medical practice could gain access to electronically stored information.

This information is also vulnerable to loss if a computer system fails.

Even information that is preserved in paper records presents security issues. Information kept in paper records also can fall into unauthorized hands. Fire, flood and other disasters also can destroy paper records.

HIPAA focuses on the security of electronic information – but to comply with HIPAA’s privacy requirements we must also take appropriate measures to address the security of the information kept in paper records, which includes the proper disposal of PHI. All paper containing PHI that is scheduled for destruction or needs to be disposed of must be shredded or placed in the shredding company receptacle.

37 of 50

Security is Every Employee’s Responsibility

Information systems managers & staff
Medical professionals
Clerical and billing staff
Managers and supervisors
Consultants and contractors

Security is the responsibility of every person who comes into contact with protected health information.

Security isn’t just something that can be assigned to a single individual or department. And it isn’t something that only our folks have to worry about.

To a greater or lesser degree, each of us has some responsibility for security.

Our information systems managers and staff are responsible for designing and implementing security safeguards in our computer systems that collect, retrieve, transmit and store patient information. These people need to make sure that communications networks include adequate safeguards to protect the security of information transmitted across those networks.

Our medical professionals – who create and use the bulk of the medical information on patients – have an obligation to maintain the privacy of that information. They also have a special obligation to make sure that patient information stored temporarily in their offices is kept secure. HIPAA allows patient information to remain out in the open as long as the area is being supervised.

Our clerical and billing people are responsible for keeping the information they create and transmit secure by following applicable security procedures.

Managers and supervisors have a dual responsibility. First, they need to make sure effective security policies and procedures are developed and implemented – and that information systems include effective security features.

Second, they need to make sure information they use in day-to-day management is kept secure.

Consultants and contractors who we allow to use protected health information are responsible for following our security protocols.

In fact, any staff member might, at one time or another, come into possession of patients’ personal information. A housekeeper, for example, might have to move patient records or the paperwork communicating the results of laboratory tests.

Safeguarding the security of information is everyone’s responsibility.

38 of 50

Security Threats

Loss of information
Theft of information
Unauthorized disclosures
Accidental disclosures

39 of 50

Loss of Information

Unintended destruction of information

Human error
Hardware failure
Fires, floods, and power failures
Computer viruses

Response to the threat

Staff training and procedures
Backup procedures and system design
Disaster and contingency plans
Anti-virus software

The unintended loss or destruction of information is one of the most serious threats to security. Once information is gone, it may be impossible to recover.

Information can be destroyed in many ways:

Information can be destroyed by simple human error. Everyone has had the experience of deleting a file from a computer without meaning to.
Information can be destroyed when computer hardware fails. A disk drive that crashes can destroy billions of bytes of critical information.
Fires, flood, and other disasters, as well as power failures can cause information systems to crash. They also may prevent people from being able to retrieve critical information needed to serve our patients.
Computer viruses can destroy information – and they can cause information to be sent to people who have no business receiving it.

Our objective is to make sure that information can be recovered if it is lost. The techniques we use to safeguard electronic information from accidental destruction include:

Staff training and procedures to make sure that information is only destroyed when it should be destroyed.
Backup procedures and systems to make sure that duplicate datasets are created for all information we store electronically.
Disaster recovery and contingency plans to let us quickly resume normal operations with minimum loss of information – and to make sure security safeguards are maintained even when disaster strikes. This was a huge problem in LA after the hurricanes.
Effective use of anti-virus software to prevent viruses from destroying information and short-circuiting our security safeguards.

40 of 50

Theft of Information

How information is stolen

Computer system penetration by hackers
Disclosure caused by computer viruses

Preventing theft

Hardware/software firewalls
Use of password protection
User authentication
Anti-virus software
Encryption

Most people probably associate security with the need to prevent the theft of information.

We’ve all heard stories about hackers who can break into supposedly secure computer systems and steal information from corporations as well as government installations.

Millions of consumers are worried about the theft of credit card information when they transmit information over the Internet.

Computer viruses also can cause the theft of information when it goes to people who shouldn’t have it.

The prevention of theft is a main focus of people responsible for information technology.

Firewalls can be created to prevent unauthorized users from breaking into computer systems.

User IDs and passwords can ensure that only authorized users can gain access to a computer system. They can also be used to limit the information that a staff member is authorized to retrieve or change.

User authentication is used to restrict access to hardware and software, as well as databases, to authorized users.

Anti-virus software is an important component of efforts to prevent the sabotage of security measures.

Information transmitted over networks also may be encrypted to prevent unauthorized persons from decoding them.

The bottom line is that the measures adopted by administrators of information systems protect the security of information and prevent unauthorized users from gaining access to sensitive information.

But, bear in mind that even the best security measures can be defeated if users do not use the security features designed into those systems. (More on this in a moment.)

41 of 50

Unauthorized Disclosures

Intentional, but unauthorized, disclosure

Failure to check credentials of requester
Failure to check patient authorization

Unintentional disclosure

Breakdown of security during disasters

But ensuring the security of information also relies on the use of common sense in the things we do every day at work.

For instance, if we fail to make sure that we’re sending information to a person who is, in fact, authorized to receive that information, we’re committing an unauthorized disclosure.

If we neglect to review a patient’s records carefully to find restrictions on the use and disclosure of a patient’s information that the medical practice has agreed to honor, we’re likely to commit a breach of security.

The only way of preventing these breaches in security is for all of us to rigorously follow the medical practice’s procedures for disclosing information.

Unauthorized disclosures of information also may occur when natural or man-made disasters cause security measures to break down. The purpose of contingency planning is to minimize the risk of unauthorized disclosure during disasters.

42 of 50

Accidental Disclosures

Overheard conversations

Among staff
Between staff and patients

Information left in public view

Information displayed on computer screens
Printed information left on desks
Files accessible to public/passers-by

43 of 50

Security Protections

Backup procedures
Contingency plans
Organizational safeguards
Technical (hardware and software) safeguards

To address these various threats to security, we [have implemented/are implementing/will implement] a number of measures.

Among these measures are backup procedures to make sure that information we store electronically can be recovered following a hardware failure or natural disaster.

We will develop contingency plans that will allow us to continue operating and keep information secure during a natural disaster.

We will implement organizational security safeguards, including policies that limit the information that different categories of staff are authorized to use, and procedures for making sure that information shared with outside organizations is kept secure.

We are implementing technical safeguards that restrict access to authorized users, and ensure that our computer systems include features that prevent unauthorized users from stealing or destroying patient information.

44 of 50

Guidelines for Computer Use

Log on and log off our network
Never let others use your user ID
Choose a secure password
Regularly update your password
Never share your password
Never write your password down
Secure your workstation

One of the most important things we can do to prevent breaches of security is to follow our guidelines for computer use.

The fundamental requirement for keeping information secure on computer systems is our compliance with procedures for using the computer system.

We should always log on – and more important – log off any computer terminal that we use to connect to the medical practice’s network.

We should never leave a computer terminal that is logged on to the network unattended. Other staff or visitors might be able to use the terminal to access patient records.

We shouldn’t allow other staff members to use our personal user IDs. Allowing another staff member to use our ID could provide access to information they are not authorized to use.

We should choose a secure password. We should avoid passwords that might be easily guessed at by coworkers or friends – such as nicknames, hobbies, birth dates, a child’s or pet’s name.

Also, we should regularly update our passwords. The longer a person uses a password, the more likely it is that others will learn it.

We should never share passwords with other staff members.

We should never write down our passwords.

Finally, we should arrange our workstations so that only we can view information on our computer terminals, and so that visitors to the practice cannot read patient information we are using.

45 of 50

Quiz 5: Security Measures

Is the accidental destruction of information a security problem?
What is the most serious threat �to security?
Should people ever let others use their computer ID or password?
Should anti-virus software ever be �turned off?

Time for another quiz – this will be the last one!

Is the accidental destruction of information a security problem?

Yes. The goal of security is to make sure that information doesn’t go to unauthorized people and to make sure that information is available to the people who need it when they need it. If information is destroyed it isn’t available when it’s needed.

What is the most serious threat to security?

Failure to follow the policies and procedures that have been designed to safeguard the security of information is the leading cause of security breaches. The best security hardware, software and policies in the world will be ineffective if people don’t use them.

Should people ever let others use their computer ID or password?

No. Although it may seem a waste of time to go through the process of logging off the system and then logging on again when another staff person uses the same computer, but letting others use your user ID can cause a serious breach in security.

Should anti-virus software ever be turned off?

No. Anti-virus software can make everyone’s life complicated sometimes, but turning it off leaves our information vulnerable to attack by malicious viruses. If your anti-virus software is causing problems, contact the staff person responsible for administering the computer system.

46 of 50

Security & Privacy Wrap-up

What you can do to protect the privacy and safeguard the security of patient information

47 of 50

Privacy Wrap-up�Five things you can do to protect privacy

Store all patient information securely
Discuss patient information in private
Avoid unnecessary discussion of patient information
Review restrictions on disclosure and communication before making disclosures
Confirm credentials of recipients before disclosing protected health information

The five most important things that you can do to protect the privacy of patient information are:

Storing patient information securely. If you have patient information on your desk or at your work area, it should be stored so that unauthorized people can’t just casually read it. This may require nothing more than keeping patient information in folders, placing communications of test results face down, and making sure that all patient information is stored where it belongs when you leave the office at the end of the day.
Discuss patient information in private. If you are going to be discussing a patient, you should move to a location where you won’t be overheard by other patients, by visitors to the office, or even by coworkers who aren’t really involved in the patient’s care.
Avoid unnecessary discussion of patient information. The only time that patients should be the topic of conversation is when the patient’s information is being used for an approved purpose. We can use information for treatment, payment and health care operations – but need to make sure that we are only using and sharing the minimum information needed to accomplish a given task.
Review restrictions on disclosure and communications. When disclosing information, make sure the patient has not asked for and been granted restrictions on the people that we can share their information with. Also, make sure that the disclosure doesn’t require the patient’s authorization. If it does, make sure the patient has authorized the disclosure.
Confirm the credentials of those people to whom you are sending information. Although we can freely share information for the purpose of treatment and do not require the authorization to use the patients information to obtain payment or to run the practice, it is important to make sure that the person to whom we’re sending information should, in fact, be receiving the information. Only share information with other providers, with health plans, or others when you are sure that those people should be receiving the information.

48 of 50

Security Wrap-up�Five things you can do to safeguard security

Log on and log off of your computer
Never let others use your log-on
Follow guidelines for password use
Never disable anti-virus software
Never install unapproved software

The five most important things that you can do to safeguard security include:

Always log on and log off your computer. You should never leave your computer without logging off – not even for a minute. When your computer is logged onto the system, anyone can use it to look at the information that you are authorized to look at.
Never let others use your log-on ID and password. When someone else uses your ID and password, the computer system thinks that that person is you – and that person will be able to use any information that you are able to use. If you forget your password, contact the staff person who administers the computer system and get a new one.
Follow guidelines for password use. This means choosing a password that others don’t know or can’t guess, regularly updating your password, and never ever writing your password down.
Never disable anti-virus software. Computer viruses are a major threat to security. They can destroy enormous amounts of information in minutes. They can create holes in our security mechanisms that allow others to get access to our information. Anti-virus software is the frontline of our defense against computer viruses.
Report security breaches. If you think your computer has been infected, or if you think that a person has learned your user ID and password, or if you think an unauthorized person has been using the system, report it immediately to [name or title of the person responsible for security].

49 of 50

Why take HIPAA Seriously? Civil and Criminal Penalties

Civil sanctions: $100. Per violation up to $25,000 year.

Example: Failure to obtain an Acknowledgement of receipt of Privacy Practices or release of information.

Criminal sanctions: $50,000, $100,000, $250,000 with 1, 5 or 10 years in Prison

Example: Using PHI such as SSN#, obtaining or disclosing unauthorized PHI of another individual. If the violation is committed under false pretenses. The most serious violation would be, the intent to sell or transfer another's PHI for harmful or personal gain.

50 of 50

Final Thoughts

Take HIPAA seriously, this program was designed to protect each one of us.
When each of you return to your work stations take a few moments look around and answer this question: Is your work space HIPAA compliant?
Are you following the HIPAA guidelines outlined for you today?