2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office Practicum General Session

2015 Office Practicum User Conference Learning Objectives ▪ Understand what HIPAA and Patient Safety have to do with my practice ▪ Identify resources that I can use for my practice ▪ Identify 3 areas where I can improve security and safety for my practice

Disclaimer

2015 Office Practicum User Conference HIPAA ▪ HIPAA Privacy Rule ▪ HIPAA Security Rule ▪ HIPAA Breach Notification Rule ▪ Patient Safety Rule

2015 Office Practicum User Conference Who does this affect? ▪ ALL medical practices ▪ NOT just those who participate in Meaningful Use or Medical Home

2015 Office Practicum User Conference HIPAA Privacy Rule ▪ Major goal: HIPAA Privacy is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well beingHIPAA Privacy ▪ Administrative Requirements: a covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule

HIPAA Privacy Rule Let’s take a closer look……

2015 Office Practicum User Conference HIPAA Privacy Rule ▪ Establishes national standards ▪ Protect individual’s medical records and other personal health information (PHI) ▪ Applies to health plans, healthcare clearinghouses, health care providers

2015 Office Practicum User Conference HIPAA Privacy Mandates Practices ▪ Have in place safeguards to protect the privacy of PHI ▪ Set limits on use and disclosure of PHI without specific patient authorization ▪ Recognize patients have rights over their PHI including: ▪A right to examine and receive a copy of their health record ▪A right to request correction of their health record information

2015 Office Practicum User Conference Provider Notice of Privacy Policies ▪ Provide notice no later than the first date of service (except in emergencies) Provide notice ▪ Make a “good faith” effort to obtain written acknowledgement of receipt of the notice & if unable document why ▪ Make the most recent notice (one that reflects any changes in policies) available for individuals to request and take with them

2015 Office Practicum User Conference Sample/Model HIPAA Privacy Policies ▪ HHS Sample Policies in English & Spanish HHS Sample Policies in English & Spanish ▪ HIPAA Resources from AAFPAAFP ▪ Kressly Pediatrics HIPAA Policy (feel free to adapt for your practice) Kressly Pediatrics

2015 Office Practicum User Conference HIPAA Policy Question 1 Q. Do we have to update our HIPAA policy annually? A. No. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.No

2015 Office Practicum User Conference HIPAA Policy Question 2 Q. Do we have to get annual or periodic signatures from patients/families? A. No. Only to acknowledge the original receipt of the HIPAA policyNo

2015 Office Practicum User Conference HIPAA Policy Question 3 Q. Is our practice required to notify patients via mail or of any changes to our policy? A. No. If you make a change to your policy, you must make the new policy available to your patients, post it in a clear & prominent location in your facility and on your website if you have one.No

2015 Office Practicum User Conference HIPAA Privacy Question 1 Q. Can an 18 year old sister pick up forms or a prescription for her younger brother? A. Yes. The practice may share relevant information with the family & other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Yes

2015 Office Practicum User Conference HIPAA Privacy Question 2 Q. What can I do for other offices/health systems who refuse to send me information without expressed written consent from the patient? A. Consider creating a fax form requesting information with HIPAA references at the bottom

2015 Office Practicum User Conference HIPAA Security Rule ▪ Goal: The Security Standards for the Protection of Electronic Protected Health Information establish a national set of security standards for protecting certain health information that is held or transferred in electronic formSecurity Standards ▪ Administrative Requirements: a covered entity must adopt reasonable & appropriate policies and procedures to comply with the provisions of the Security Rule

2015 Office Practicum User Conference HIPAA Security Resources ▪ Information Security Policy Template ▪ Security Audit Template Tool for Small Practices Security Audit Template Tool for Small Practices ▪ Cybersecurity Best Practice Checklist Cybersecurity Best Practice Checklist ▪ Regional Extension Center Resources ▪ State Medical Society Resources

2015 Office Practicum User Conference HIPAA Security Question 1 Q. Must our practice certify our compliance with the standards of the Security Rule? A. No. There is no standard or certification requirements. An organization can decide on whether to use external third parties to perform security assessments but that does not absolve practices from meeting their legal requirements.No

2015 Office Practicum User Conference HIPAA Security Question 2 Q. Once we have completed a security risk assessment, are we finished? A. No. Compliance is not a one-time goal but an ongoing process. In general, this includes performing a risk analysis; implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation.No.

2015 Office Practicum User Conference HIPAA Security Question 3 Q. Does security only take into consideration our computer access to our EHR? A. No. Practices should examine physical security safeguards such as unlocked back doors, policies regarding access for terminated employees, visible access to large monitors in a high patient traffic area, etc.

2015 Office Practicum User Conference HIPAA Breach Notification Rule ▪ The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates (BA) to provide notification following a breach of unsecured protected health information ▪ Requirements: following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, & in certain circumstances, to the media

2015 Office Practicum User Conference Breach Notification Requirements ▪ Individual Notification ▪Must occur within 60 days of discovery of breach ▪Must occur via first class mail unless prior agreement that patient agrees to notification ▪ If >500 patients involved in a state/jurisdiction, required to provide notice to prominent media outlets serving the area

2015 Office Practicum User Conference HIPAA Breach Question 1 Q. Do I have to report all accidental discovery of any HPI to the HHS secretary? A. No. However, any impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:No

2015 Office Practicum User Conference Factors to Consider in Defining “Breach” ▪ The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re- identification ▪ The unauthorized person who used the protected health information or to whom the disclosure was made ▪ Whether the protected health information was actually acquired or viewed ▪ The extent to which the risk to the protected health information has been mitigated.

2015 Office Practicum User Conference HIPAA Breach Question 2 Q. If there were only 3 patients affected in a HIPAA breach in my office, do I still have to report this somewhere? A. Yes. All breaches are to be submitted to the Secretary of HHS. Can be done annually for breaches affecting < 500 patients or at the time of occurrence (reporting tool on HHS website)submitted to the Secretary

2015 Office Practicum User Conference Patient Safety Rule ▪ The Patient Safety and Quality Improvement Act (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues The Patient Safety and Quality Improvement Act ▪ To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information to Patient Safety Organizations (PSOs)

2015 Office Practicum User Conference HIPAA Enforcement ▪ Enforcement has been transferred to the Office for Civil Rights Enforcement ▪ Enforces Privacy & Security Rules’ in several ways ▪by investigating complaints filed with it ▪conducting compliance reviews to determine if covered entities are in compliance ▪performing education and outreach to foster compliance with the Rules' requirements

HIPAA Should You Fear the HIPAA Police?

2015 Office Practicum User Conference No Fear Needed ▪ HIPAA is not meant to be punitive ▪ Most investigations lead to continued improvementinvestigations ▪ Make HIPAA a Continuous Improvement Project in your practice ▪ Work to identify gaps and then address them ▪ Good Overview/Additional Information available at multiple places including Medical EconomicsMedical Economics

2015 Office Practicum User Conference Best Practices ▪ Have a designated HIPAA Privacy & Security Officer with alternate (in case of vacation) ▪ Commit to ongoing HIPAA education for your office ▪ Maintain a folder of policies, procedures, business associate agreements, potential breach reporting templates, breach notification templates, etc. ▪ Review annually and discuss whether updates necessary

2015 Office Practicum User Conference Questions ?

2015 Office Practicum User Conference We want your feedback!