GBMC HIPAA Compliance Program

Slides:



Advertisements
Similar presentations
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Advertisements

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Privacy and Information Security Training ( ) VUMC Privacy Website
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Page 1 of 16 DMC HIPAA Privacy and Security DMC’S COMMITMENT TO COMPLIANCE: HIPAA PRIVACY and SECURITY DMC Corporate Audit and Compliance Department Detroit.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Are you ready for HIPPO??? Welcome to HIPAA
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Protecting Client Data HIPAA, HITECH and PIPA Part 1A
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
HIPAA Privacy & Security EVMS Health Services 2004 Training.
Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
HIPAA Privacy & Security Kay Carolin Barbara Ann Karmanos Cancer Center March 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Next ETCH Confidentiality and HIPAA Annual Review What you need to know. The Privacy Rule 1.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA for Students Health Insurance Portability and Accountability Act.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Health Insurance Portability and Accountability Act (HIPAA) Primer for Observers, Volunteers, Medical Students Dr. Michael Palumbo- Privacy Officer/ EVP.
The Health Insurance Portability and Accountability Act 
Developed for Ridgeview Institute 2015 Hospital Wide Orientation
HIPAA PRIVACY & SECURITY TRAINING
HIPAA Privacy & Security
Move this to online module slides 11-56
Disability Services Agencies Briefing On HIPAA
The Health Insurance Portability and Accountability Act
HIPAA Privacy & Security
The Health Insurance Portability and Accountability Act
HIPAA & PHI TRAINING & AWARENESS
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act
Presentation transcript:

GBMC HIPAA Compliance Program Back Menu Next GBMC HIPAA Compliance Program Insurance Health Portability and Accountability Act

Standards for Electronic Transactions and Code Sets Back Menu Next HIPAA Requires Standards for Electronic Transactions and Code Sets Compliance Date: October 16, 2003 Enforced by: Centers for Medicare and Medicaid (CMS) Standards for Privacy of Individually Identifiable Health Information Compliance Date: April 14, 2003 Enforced by: Office of Civil Rights (OCR) Standards for Security of Electronic Protected Health Information Compliance Date: April 20, 2005

Diagram of the HIPAA Statute Back Menu Next Diagram of the HIPAA Statute This is a diagram of HIPAA the statute and its various aspects. Security Code Sets

Training Focus Back Menu Next HIPAA PRIVACY HIPAA SECURITY The training that you are receiving today will focus on learning what responsibilities you have in order to ensure GBMC complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered: HIPAA PRIVACY HIPAA SECURITY Protected Health Information Minimum Necessary Patient Rights Notice of Privacy Practices Privacy Policies Privacy Officer Reporting Privacy Concerns Electronic Protected Health Information User Identity Password Management Appropriate Use of Computing Devices Security Policies Security Officer Reporting Security Concerns

The Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy The Privacy Rule Protects information known as PROTECTED HEALTH INFORMATION (PHI) that exists in written, oral, and electronic formats. Protected Health Information

Examples of PHI HIPAA Privacy Back Menu Next Vehicle and Serial Number Device Identifier and Serial Number Precinct Date of Death Medical Record Number Internet Protocol Number Full Face Photographic Images Zip Code Telephone Number Health Plan Beneficiary Number Biometrics Identifiers (i.e. finger prints) Any Other Unique Identifying Number, Characteristic, or Code Name Birth Date Fax Number Account Number Web Universal Resource Locator (URL) Street Address Admission Date Electronic mail address Certificate/License Number License Plate Number City Discharge Date Social Security Number Protected Health Information

The Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy The Privacy Rule Limits the way in which members of the GBMC workforce may use and disclose (release) PHI. GBMC workforce must have a job-related reason to use and or disclose PHI. Requires that all GBMC workforce use only the minimum amount of PHI necessary to get the job done. This is what HIPAA defines as the MINIMUM NECESSARY Standard. “Workforce” means employees, volunteers, trainees, and other persons who conduct work for GBMC and are under the direct control of GBMC, whether or not they are paid by GBMC. Minimum Necessary

Annual Acknowledgment of the Minimum Necessary Standard Back Menu Next Annual Acknowledgment of the Minimum Necessary Standard Every year, employees affirm their commitment to this standard by electronically signing the GBMC Code of Business Ethics Acknowledgment, Confidentiality of Information Agreement, and Appropriate Use Agreement. Failure to comply with this standard will lead to disciplinary action, up to and including termination. Minimum Necessary

Minimum Necessary Scenarios A patient that I cared for in the ICU was transferred to a medical unit. May I look in the patient’s record to see how she is doing? May I call the unit and talk to the nurse who is now caring for her? As much as this may reflect your compassion and concern for patients whom you have taken care of in the past, you may not inquire into her status unless there is a job-related reason. For example, if you have to complete a note in her record after she has left your unit, you may access her record to complete your note. Minimum Necessary

Minimum Necessary Scenarios I am a unit clerk and while I was working night shift, a nurse named Mary became very ill. Another nurse named Alice transported Mary to the Emergency Dept (ED) & described for the nursing staff in the ED what symptoms Mary had complained of having. Alice was thanked for her assistance & told that she could return to her floor. Later that evening, I walked by Alice while she was on the computer & she called me over. She had Mary’s lab results up on her screen. Can she do this? No, Alice should not look at this information. She has violated the minimum necessary standard. Such violation is punishable up to and including termination. Minimum Necessary

The Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy The Privacy Rule Provides patients with certain rights - these rights are commonly referred to as the PATIENT PRIVACY RIGHTS. These rights are communicated to the patient in the Notice of Privacy Practices. If a patient wishes to exercise any of these Patient Privacy Rights (which are outlined on the next slide), they must do so in writing. You should contact Medical Records - Correspondence Department (443-849-2274) for the correct forms. Patient Rights

The Patient Privacy Rights Back Menu Next HIPAA Privacy The Patient Privacy Rights Right to access PHI Right to request an amendment to PHI Right to request restrictions on how PHI is used for treatment, payment, and healthcare operations Right to receive confidential communications Right to request an accounting of disclosures Right to complain to the Department of Health and Human Services’ Office for Civil Rights Patient Rights

The Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy The Privacy Rule Requires that GBMC provide all patients with a copy of its NOTICE OF PRIVACY PRACTICES (NOPP). Each patient must sign an acknowledgment after receiving the NOPP unless the patient is unable to do so at the time of registration. Copies of the NOPP may be ordered from Purchasing. Notice of Privacy Practices Effective April 14, 2003 GBMC includes Greater Baltimore Medical Center, Gilchrist Hospice Care and GBMC Foundation. Notice of Privacy Practices Effective April 14, 2003 GBMC includes Greater Baltimore Medical Center, Gilchrist Hospice Care, and GBMC Foundation. Notice of Privacy Practices Effective April 14, 2003 GBMC includes Greater Baltimore Medical Center, Gilchrist Hospice Care, and GBMC Foundation. Notice of Privacy Practices Effective April 14, 2003 GBMC includes Greater Baltimore Medical Center, Gilchrist Hospice Care, and GBMC Foundation. Notice of Privacy Practices

Notice of Privacy Practices Back Menu Next HIPAA Privacy The Notice of Privacy Practices The Notice is a useful tool not only for you but also for the patient. The NOPP: describes how GBMC may use a patient’s PHI provides a clear and concise description of the patient’s rights discusses how a patient may opt-out of the facility directory discusses how the medical staff may interact with the patient’s family Notice of Privacy Practices Effective April 14, 2003 GBMC includes Greater Baltimore Medical Center, Gilchrist Hospice Care and GBMC Foundation. Notice of Privacy Practices

The Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy The Privacy Rule Requires that GBMC create policies regarding how GBMC’s workforce is allowed to use and disclose (release) PHI. Also requires that GBMC make available to and educate its workforce on those policies. All of GBMC’s PRIVACY POLICIES are located on the Compliance Page of the GBMC InfoWeb. Hardcopies of the policies may be printed directly from the InfoWeb or obtained from the Compliance Department. Privacy Policies

THE GBMC Privacy Policies Back Menu Next HIPAA Privacy THE GBMC Privacy Policies Examples of GBMC Privacy Policies include: #003.102 Minimum Necessary Use and Disclosure of Protected Health Information #003.105 Uses and Disclosures for Involvement in the Individual’s Care and Notification Purposes #003.114 Uses and Disclosures of Protected Health Information for Law Enforcement Purposes Privacy Policies

The Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy The Privacy Rule Requires that GBMC designate someone who is responsible for the development and implementation of the privacy policies privacy related training and education investigating privacy related complaints conducting routine audits to make sure that all of GBMC’s workforce are complying with the privacy policies The PRIVACY OFFICER for GBMC is Tara Miller. Privacy Officer

THE Privacy Rule HIPAA Privacy Back Menu Next HIPAA Privacy THE Privacy Rule Requires that GBMC provide a way for patients and workforce to REPORT PRIVACY CONCERNS or ask privacy questions. Tara Miller, GBMC Privacy Officer 443-849-4327 HIPAA GroupWise Resource To send an email, type HIPAA in the “To” field The Business EthicsLine is now the Privacy Hotline too 1-800-299-7991 The Compliance Home Page is your source for HIPAA information. GBMC Infoweb Reporting Privacy Concerns

Privacy Compliance Tips Back Menu Next HIPAA Privacy Privacy Compliance Tips Keep all PHI locked and secured when you are away from your work area. Do not include any patient identifiers in the subject line of an email. Do not discuss PHI in public or common areas. Make sure to check the fax number for accuracy before sending a fax that contains PHI. All faxes must include a completed GBMC standard fax cover sheet (see fax policy for limited exceptions). If a fax is sent to the wrong recipient in error, you must complete the Accounting of Disclosures log located on the Compliance page of the InfoWeb and send it to Medical Records. Sign-in sheets are allowed as long as we continue to follow the standard protocols that have always been in place at GBMC. Sign - in sheets should be limited to patient name and appointment time.

The Security Rule HIPAA Security Back Menu Next HIPAA Security The Security Rule Requires administrative, physical, and technical safeguards be implemented to address the confidentiality, integrity, and availability of ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI). Security of patient information is EVERYONE’S job! We owe it to our patients! Electronic Protected Health Information

The Security Rule HIPAA Security Back Menu Next HIPAA Security The Security Rule Requires GBMC provide each computer system user with a unique USER IDENTITY. Your user identity is the combination of your user id and your password – do not share or write down your password where it can be easily retrieved by someone other than you. Your user identity is what is used to monitor your activity on the system(s). Do not leave yourself signed onto a computer and then walk away without signing off. You are responsible for any activity that occurs under your user identity. Your user identity appears on audit reports which are frequently monitored. User Identity

Protecting Your Password Back Menu Next HIPAA Security Protecting Your Password In order to protect against unauthorized access to our computers, GBMC has taken appropriate steps to monitor all activity on the network to ensure that people are not trying to break-in to those systems. However, as a user of a GBMC system, it is important that you also take measures to ensure that people cannot access GBMC systems – this is partly accomplished through PASSWORD MANAGEMENT. Password management includes selecting a strong password, protecting your password, as well as frequently changing your password. “A password should be like a toothbrush. Use it every day; change it regularly and DON’T share it with friends” - Usenet Password Management

Examples of How to Create a Strong Password Back Menu Next HIPAA Security Examples of How to Create a Strong Password Mix upper and lowercase characters 3bLINdmice 5gOLDenrings 4cALLingbirdS 2. Replace letters with numbers Replace “E” with “3” “Sp3cial” or “3l3gant” 3. Combine two words by using a special character Roof^Top Sugar$Daddy B@tterup! 4. Use the first letter from each word of a phrase from a song “Oops! I did it again” becomes “O!idia” In general, passwords should have a minimum length of 6 characters but each application may have other requirements/limitations. Password Management

HIPAA Security The Security Rule Back Menu Next HIPAA Security The Security Rule Requires that GBMC train its workforce on appropriate computer security and APPROPRIATE USE OF COMPUTING DEVICES. As a user of a GBMC system (including the Internet) you are required to: Use only your officially assigned user identity (e.g. user id and password) Save GBMC data only to the GBMC Network unless prior GBMC approval has been granted Notify your manager and the HIPAA Security Officer if your password has been disclosed, or otherwise compromised, and immediately change your password Appropriate Use of Computing Devices

The “Do Not’s” When Using GBMC Systems Back Menu Next HIPAA Security The “Do Not’s” When Using GBMC Systems As a user of a GBMC system (including the Internet) you may not: Install unauthorized software (e.g. screensavers, games, or instant messenger programs) Install any unlicensed software on a GBMC computer or device Abuse your Internet or e-mail access privileges Relocate any computer equipment without prior MIS approval Bring into GBMC any personal computer equipment without prior MIS approval (e.g. printer, burner, scanner, PDA, or digital camera) Appropriate Use of Computing Devices

The Security Rule HIPAA Security Back Menu Next HIPAA Security The Security Rule Requires that GBMC create SECURITY POLICIES regarding how GBMC will implement appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI. Examples of existing GBMC security policies are: # 304 Email Policy # 348 Information Security Policy All GBMC policies are located on the GBMC InfoWeb. Security Policies

The Security Rule HIPAA Security Back Menu Next HIPAA Security The Security Rule Requires that GBMC designate someone who is responsible for: The development and implementation of information security policies and procedures Regular reviews of records of information system activity, such as audit logs, access reports, and security incident tracking reports The development of awareness and training programs for all members of its workforce The SECURITY OFFICER for GBMC is Tara Miller. Security Officer

The Security Rule HIPAA Security Back Menu Next HIPAA Security The Security Rule Requires that GBMC establish a way for all GBMC workforce to REPORT SECURITY CONCERNS. Report all risks you are currently aware of and as you see them, such as: Unauthorized or suspicious visitors Logged-on but unattended workstations Uncontrolled access to areas that house equipment and/or PHI Passwords on Post-it™ notes Staff accessing records without a need to know Report all security concerns to Tara Miller. Reporting Security Concerns

HIPAA Privacy & Security Back Menu Next HIPAA Privacy & Security We hope this Computer-Based Learning course has been both informative and helpful. Feel free to review this course until you are confident about your knowledge of the material presented. Click the Take Test button on the left side when you are ready to complete the requirements for this course. Click on the My Records button to return to your CBL Courses to Complete list. Click the Exit button on the left to close the Student Interface.