An Introduction to Compliance and HIPAA Privacy RVHIMA Spring 2016 Meeting Joshua A. Lenavitt, MHA Regional Director of Compliance and Privacy Baptist Health Louisville/La Grange

Disclaimer This presentation is for general education purposes only. The information contained in these materials, lecture, ideas and concepts presented is not intended to be, and is not, legal advice or even particular business advice relevant to your personal circumstances. The laws and regulations presented in this lecture are open to interpretation. 2

Disclaimer Continued I am not a lawyer… I know several lawyers… They were not available today… That’s why you have me today! 3

Objectives Define Compliance and discuss in terms of Ethics and Values Gain an understanding of basic HIPAA (Health Insurance Portability and Accountability Act) law, Discuss protection of Protected Health Information (PHI) and Identity Theft/Red Flags Briefly discuss Social Media and Healthcare Discuss Texting of PHI 4

Compliance How would you define Compliance? 5

What is Compliance? Compliance may be described as….. Adhering to federal and state laws Following policies and rules Monitoring medical documentation and billing practices Observing the HIPAA Privacy Rule 6

What is Ethics? Ethics may be described as ….. Core beliefs and convictions Values about what is right and good Doing the right thing 7

Compliance & Ethics Taken together, they define the essence of the Corporate Responsibility A values-based culture that guides our actions in the workplace so that our daily activities are performed with honesty, integrity, and in support of organizational Mission, Vision and Values Statements. 8

Quick Poll – TRUE or FALSE? FRAUD is a deception, a hoax, or a lie that is made for personal or corporate gain. TRUE 9

Industry and Governmental news A dialysis center illegally paid physicians for referrals and settled with the government for $389 million. A hospital allegedly submitted false or fraudulent claims for doing unnecessary heart procedures and settled with the government for $16.5 million. A clinic operator fraudulently billed Medicare for medications that were never given to patients, or were at incorrect dosages, or were unnecessary. A plea agreement included re-payment of $12 million. 10

Health and Human Services (HHS), Office of Civil Rights (OCR) in Action Starting in January of 2016, HHS, OCR started issuing monthly messages as it relates to HIPAA and PHI. The subject matter to date includes: –Patients’ right to access health information and clarifies appropriate fees for copies –Understanding Some of HIPAA’s Permitted Uses and Disclosures –Improper disclosure of research participants’ protected health information results HIPAA settlement professionals/privacy/guidance/access/index.html 11

HIPAA 12

HIPAA The Office for Civil Rights enforces the HIPAA Privacy Rule: HIPAA – Health Insurance Portability and Accountability Act of 1996 –Security Rule, national standards for the security of electronic protected Health information (published in 2003) –Breach Notification Rule, requires covered entities to provide notification of HIPAA breaches (published in 2009) HITECH – Health Information Technology for Economic and Clinical Health Act, 2009 HIPAA Final Omnibus Rule

What is PHI? Protected Health Information (PHI) can be in any form (electronic, paper, or oral), and includes: 1)Demographic data 2)Past / present / future physical or mental health or condition(s) 3)The provision of health care to the individual 4)The past, present, or future payment for the provision of health care services 14

Permitted Uses of PHI Treatment Payment –Audits / Requests from payors –Worker’s compensation Healthcare operations –Quality Assessments –Business Management, such as customer service and resolution of grievances 15

Quick Poll – TRUE or FALSE? HIPAA was not designed to interfere with patient care. TRUE The HIPAA Privacy Rule allows medical staff to access information necessary for patient treatment. 16

Quick Poll – TRUE or FALSE? Under the HIPAA Rules, we must protect our patients’ information (PHI) which includes: - Name, address, and phone number - Social Security number - Insurance information - Medical record or account number - Patient’s picture TRUE 17

Identity Theft Identity Theft Prevention Programs are designed to detect, prevent and mitigate identity theft. Definitions Identity Theft – fraud committed or attempted using the identifying information of another person without authority. Red Flag – a pattern, practice or specific activity that indicates the possible existence of identity theft. 18

Identity Theft Identification of Relevant “Red Flags” The presentation of suspicious documents. The presentation of suspicious personal identifying information. Suspicious activity related to a covered account. Complaint or question is received from a patient based on their receipt of suspicious documents. Notice of address discrepancy. 19

Our Responsibilities Obtain the patient’s permission before discussing PHI in the presence of visitors (including family members). Refer all requests for medical records to the Health Information Management (HIM) Department or your organizations Release of Information Office. Refrain from casual conversation. Hold discussion of PHI in confidential and secure areas. Do not leave charts, files, or computer screens open and within public view. 20

Our Responsibilities (cont.) Never share passwords. Always lock your computer when stepping away from your work station. Do not PHI from work to your personal address. Do not text PHI unless using a secure and approved platform. 21

Our Responsibilities (cont.) PHI should not be taken off Baptist property unless secure transport is approved by your manager. Do not leave messages concerning a patient’s condition or test results on a patient’s voic . Report suspicious behavior, people, or situations to your manager, security, or the compliance officer. 22

Quick Poll – TRUE or FALSE? Employees are encouraged to share medical advice with patients and families via social media (such as Facebook, Twitter, blogs). FALSE 23

24

Social Media General Guidance Use caution when having online social contact with patients, former patients, and their family members. Avoid posts related to work as these discussions also have the potential to inadvertently disclose PHI. At Baptist Health, we do not use or post patient information or pictures without prior approval from Executive Management. 25

Texting of PHI Healthcare providers and covered entities should be aware of the potential consequences under HIPAA for unsecure and/or misdirected text messages. Baptist Health has a policy that governs the use of text messaging as a means of communicating PHI between providers. –Only a secure application is acceptable i.e.. Tiger, MicroBloggingMD, etc. 26

Key Takeaways Compliance impacts all functional areas of the hospital or organization. We all have a responsibility to carry out our activities in a manner that is ethical, legal, and in support of the behaviors outlined in your organizations standards of conduct, professional organizations guidelines, and laws. Let someone know if you have a compliance question or concern. When you speak up, we have an opportunity to improve our programs and resolve issues before they become more serious. 27

Joshua Lenavitt Regional Director of Compliance and Privacy Baptist Hospital Louisville & La Grange (502) phone 28