Lawrence H. Muhlbaier, PhD Tasha Carmon, CHPC, CCRC, CCRP
Post on 14-Jan-2016
45 Views
Preview:
DESCRIPTION
Transcript
Lawrence H. Muhlbaier, PhD Tasha Carmon, CHPC, CCRC, CCRP
Associate Professor, B&B Senior Compliance Auditor DCRI SOM Compliance Office
Duke University SOMHIPAA Privacy Training
All Rights Reserved, Duke Medicine 2007
• This training will:
– Briefly define HIPAA and PHI
– Provide general education regarding access, use, and disclosure of health information in compliance with the Privacy & Security Rules
– Outline your responsibilities as faculty and staff in the proper use, disclosure and protection of health information.
– Describe your responsibilities and resources when there is a question, concern or violation.
– Omnibus Rule Update - January 2013
Purpose of HIPAA Training
2
All Rights Reserved, Duke Medicine 2007
What is the SOM Compliance Office
• Clinical Trials Quality Assurance (CTQA) – Human Subjects Research Compliance, Clinical Trials Billing
Compliance
• Compliance Review Services (CRS) – Financial Compliance, COI, Departmental reviews
http://medschool.duke.edu/research/compliance-office/staff
3
All Rights Reserved, Duke Medicine 2007
Why do I need HIPAA Training?
• Your duties may require you to have contact with Duke University Health System (DUHS) health information. Due to this contact, you have an obligation to maintain the privacy and security of this health information.
4
All Rights Reserved, Duke Medicine 2007
Our Responsibility as a Covered Entity
• Under the HIPAA Privacy and Security Rules, Duke must have policies and procedures in place to protect the privacy and confidentiality of both PHI and electronic PHI (ePHI).
– Covered entity: Healthcare provider, Healthcare plan, or Health care clearinghouse that handles protected health information.
5
All Rights Reserved, Duke Medicine 2007
Duke Community members who must comply with HIPAA
6
All Rights Reserved, Duke Medicine 2007
What is HIPAA?
7
All Rights Reserved, Duke Medicine 2007
Health Insurance Portability &Accountability Act (HIPAA)
• Enacted in 1996, HIPAA covers:
• Insurance Portability (allows one to take insurance to
their next job)
• Accountability (fraud Prevention)
• Administrative Simplification• Security• Privacy
8
All Rights Reserved, Duke Medicine 2007
Health Information Technology for Economic and Clinical Health (HITECH) Act
• HITECH Act, enacted as part of the American Recovery and Reinvestment Act ARRA) of 2009.
• Addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
– Four categories of violations that reflect increasing levels of culpability;
– Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
– A maximum penalty amount of $1.5 million for all violations of an identical provision.
9
All Rights Reserved, Duke Medicine 2007
HIPAA Privacy
• The Privacy Rule:• Protects information about an individual’s health,
health care, or payment for care; past, present, or future (PHI).
• Identifies permitted uses and disclosures of this PHI
• Gives patients some control over their health information (Patient’s Rights)
10
All Rights Reserved, Duke Medicine 2007
What is considered Protected HealthInformation (PHI)?HIPAA defines 18 identifiers of PHI, including:1. Names. 2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
• The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
• The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
11
All Rights Reserved, Duke Medicine 2007
18 identifiers of PHI (cont.)
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
4. Telephone numbers. 5. Facsimile numbers. 6. Electronic mail addresses. 7. Social security numbers. 8. Medical record numbers. 9. Health plan beneficiary numbers. 10. Account numbers.
12
All Rights Reserved, Duke Medicine 2007
18 identifiers of PHI (cont.)
11. Certificate/license numbers. 12. Vehicle identifiers and serial numbers, including license
plate numbers. 13. Device identifiers and serial numbers. 14. Web universal resource locators (URLs).
15. Internet protocol (IP) address numbers.
16. Biometric identifiers, including fingerprints and voiceprints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.
Note: In combination with health information
13
All Rights Reserved, Duke Medicine 2007
Use & Disclosure of PHI
• Use: – Sharing PHI within Duke Medicine
and designated Duke University departments.
• Disclosure: – Sharing health information with
others or entities outside of Duke Medicine.
14
All Rights Reserved, Duke Medicine 2007
AppropriateUse & Disclosure of PHI
• Use and disclosure of PHI:– As authorized by the patient
• (informed consent)
– For treatment, payment, or operations (TPO)– For other certain circumstances as detailed in
the Privacy Rule (including Public Health disclosures)
15
All Rights Reserved, Duke Medicine 2007
What is needed in an Authorization to Use or Disclose PHI
– Description of PHI to be used or disclosed– Person(s) authorized to use or disclose the PHI– Person(s) to whom the covered entity may
disclose PHI– Each purpose for the use or disclosure– Expiration date or study event– Signed copy given to individual
16
All Rights Reserved, Duke Medicine 2007
Other HIPAA documents to consider
• Notice of Review Preparatory to Research– I will look but not record and/or allow to leave Duke.
• Waiver or Alteration of Consent and HIPAA Authorization (Recording identifiable private information w/out written/verbal authorization)
• Notice of Decedent Research
• Deidentification– (All 18 identifiers are removed)
• Limited Data Set with a Data Use agreement– Contact Gill Smith’s office
17
All Rights Reserved, Duke Medicine 2007
Limited Data Set with DUA
• Limited Data Set with a Data Use agreement– All identifiers except:
• Dates (DOB, DOD, Service dates), demographic (city, state, Zip, Zip +4)
– A contract must be signed between the disclosure and recipient.
18
All Rights Reserved, Duke Medicine 2007
Minimum Necessary
The Privacy Rule instructs that we follow the “minimum necessary” requirements when using, disclosing, or accessing PHI for anything other than treatment of a patient.
– Only the amount of PHI needed to perform the task should be used or reviewed by staff or disclosed to others.
– If asked to disclose PHI and this is outside your job responsibilities, contact your supervisor or the SOM Privacy Officer before releasing the information.
– If requested to give PHI to a third party (e.g., sponsor ) contact your supervisor or the SOM Privacy Officer for direction.
19
All Rights Reserved, Duke Medicine 2007
What can you do to help protect PHI?
• Do Not discuss PHI in public or discuss with anyone unrelated to the task at hand.
• Do Not access PHI if not needed for your job.• Do Not leave papers containing PHI unattended. Place papers face face down
or conceal to avoid access by unauthorized persons. Theft or loss of any paper record should be reported immediately to the SOM
• Do Not send unencrypted electronic PHI• Use a cover sheet when faxing confidential information; verifying fax number• Paper, images and other printed materials containing PHI should be destroyed
by shredding or striking out (redaction) so that it cannot be read or reconstructed.
• Please confirm if a DUA is needed for your research (BAAs are typically not needed for research)
• If you must retain SSNs for your research, please contact the SOM Compliance Office and/or the ISO.
20
All Rights Reserved, Duke Medicine 2007
Common Violations/Hot button issues
• Not offering the Notice of Privacy Practices to Healthy subjects.
• Retention of SSNs– Duke Policies: Collection, Storage, and Use of Social
Security Numbers
• The disclosure of PHI to a third party without authorization.
• Non-existence of DUA and/or BAA, when needed
• International Data
• Use of personal email for Duke business– Electronic Communication
21
All Rights Reserved, Duke Medicine 2007
Duke Privacy Policy
• Please review the Duke Breach of Protected Health Information/Patient Privacy Policy
22
All Rights Reserved, Duke Medicine 2007
What’s New!!
• Omnibus Rule• Data Loss Prevention (DLP)
– Diane Padgett, Compliance Auditor
23
All Rights Reserved, Duke Medicine 2007
Omnibus Rule – September 20, 2013
Final modifications to the HIPAA Privacy, Security, and Enforcement Rules require: •Modifications to individual authorization (allows “opt in” check boxes to be used in Consent and Authorization forms)
•Modifications to the NOPP and redistribution
•Business associates of covered entities are now responsible for HIPAA Privacy/Security breaches and reporting. (New business associate agreements)
•Individual rights to request e-copies of their health record and to restrict disclosures to a health plan concerning treatment for which one has paid out of pocket.
•New breach reporting requirements
•Privacy rule copies Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes.
•Individuals deceased longer than 50 years are not longer covered
24
All Rights Reserved, Duke Medicine 2007
REPORTING A SUSPECTED EVENT
Why is it important?
25
All Rights Reserved, Duke Medicine 2007
How to report
• If a suspected privacy event occurs, please contact the SOM Compliance Office immediately (919-684-2475).
• Examples including accidentally releasing patient information to the wrong person, losing PHI such as a spreadsheet, etc.
• The Privacy Officer should also be notified if someone incorrectly discloses PHI to you
• If you wish to make an anonymous report or feel uncomfortable calling the DUHS Privacy Officer directly, you can call Duke Medicine’s Privacy Line 1-800-688-1867
26
All Rights Reserved, Duke Medicine 2007
What happens to me when I report a HIPAA concern?
Non-Retaliation/Non-Retribution Policy
•If you report a concern in “good faith”* no retaliation or retribution may be taken against you even if the investigation determines that a problem does not exist.•Supervisors will be disciplined for any attempts to punish or retaliate against anyone acting in good faith in reporting a privacy violation.
*Good faith means that the person reporting the concern believes that the problem exists.
27
All Rights Reserved, Duke Medicine 2007
Resources
• Duke SOM Compliance Office• Duke Medicine’s Privacy Line: 1-800-688-1867
• Duke IRB• DUHS Policies:
http://marlowe.mc.duke.edu/accred/duhspol.nsf/fb44e3dd791dbda0852567910047d969?OpenView
28
Thank You
Lawrence H. Muhlbaier, PhD Tasha Carmon, CCRC, CCRP 919-668-8774 919-684-6456
lawrence.muhlbaier@duke.edu tasha.carmon@duke.edu
Duke School of Medicine Compliance Office
top related