Rhonda Anderson, RHIA, President …is a PROCESS, not a PROJECT 2.

Rhonda Anderson, RHIA, President

…is a PROCESS, not a PROJECT

2

Nursing Staff Nursing Assistants Staff from other depts. Generalized information for staff

3

Anderson Health Information Systems, Inc.

4

Will identify requirements for: Notice of Privacy Practices Personnel Designations Minimum Necessary What needs to be done, when and by who

5

Will leave the workshop with information to protect the residents health information as that is your responsibility as an employee known in HIPAA as a member of the workforce.

6

Notice of PRIVACY PRACTICES & RIGHTS written in plain English and: Acknowledgement by Resident/Responsible

Party Resident RIGHTS – Access to Records manual

and electronic Restrict certain release Authorization for Discussion of PHI Right to request Amendment / Addendum (CA) Right to receive Accounting of Disclosure

7

Allows the individual control over how PHI is used and disclosed

Describe practice related to use and disclosure of PHI Minimum Necessary – use by staff Covered entities responsibilities under HIPA Other such as marketing & research and the

rule around that Alternative means of communication

8

9

Prepare Notice of Privacy Practices – given to the resident as part of the admission process. This is audited by MRD as part of the admission audit.

10

Notice must include: Information regarding uses and disclosures Explanation of individual’s privacy rights Covered entities responsibilities under HIPAA

11

Indicates how the use and disclosure will be used for treatment, payment and operations. How to file a complaint (Covered entity or

Health and Human Services - Office for Civil Rights has been delegated as the responsible office)

Name, title and phone of contact person, privacy official

Effective date of notice

12

Post Notice at the facility, on the web –notify update

Make copies available May use e-mail if Resident agrees

(get a signed consent recommended Attempt to obtain acknowledgment of

Notice of Privacy Practice -- at admit Provide notice for current residents via

notice and/or signature

13

Notice of Organizations “PHI” Privacy Practices

Request Restrictions on Disclosures to Others of their “PHI”

Request alternative means of communicating “PHI”

Authorization to disclosure PHI Right to restrict access to records of the

resident/responsible party paid in full for services/supplies

14

May inspect and get a copy of “PHI” May request Amendments to their

“PHI” Must be given an accounting of

organization’s disclosures of their “PHI”

Notified of breaches of PHI

15

Make good faith efforts to obtain written acknowledgment of Receipt of Notice of Privacy Practices – at time of ADMIT “I ACKNOWLEDGE THAT I HAVE BEEN

PROVIDED A COPY OF THE NOTICE OF PRIVACY PRACTICES, DATE, SIGN”

16

The facility shall limit the amount of PHI: Disclosed or requested to

documentation/related to protected health information that is reasonably necessary to carry out the job or fulfill the request for information.

To employees only to the extent they need the information to carry out their JOB DUTIES [what does this mean to you??]

17

WHAT DOES THIS MEAN TO YOU?WHAT DOES THIS MEAN TO YOU? Discuss those items that would be needed to

know for different jobs, i.e.., Social Services needs access to all information that would impact the decisions re: advanced decisions for health care, transportation, family involvement health condition, etc., also as a team member she/he needs access too --- specify ….(identify additional info. needed)

18

Examples As a team member you would need access to

the health information to make resident care plan decisions.

Certified Nursing Assistant – What information do you need to do your job?

19

The facility shall limit the amount of PHI available to each employee – role based Employees shall be identified – in general at

least as to what information they have available to them and under what circumstances.

Computerized EHR – a grid should be prepared.

20

The facility shall limit the amount of PHI: Used or disclosed…and only the entire record

will be sent to the requestor only when needed and reasonably necessary to accomplish the request, i.e.., attorney requests information.

Also, all responses to requests shall consider – release of minimum necessary to carry out the specific reason for the request.

21

Does NOT apply: When sending to another health care

provider; however, you only need to give the information that is needed!

Disclosure to the individual Uses and disclosures made

pursuant to an authorization To Dept. of Public Health L & C,

required for compliance, otherwise required by law, i.e.., law enforcement, public health, Office of Inspector General

22

Administrative Requirements Business Associates – Contractors,

subcontractors are required to adhere to the Privacy, Security and Enforcement Rules

Privacy Official – Medical Record Designee Security Official – Administrator or Designee Enforcement and Costs

23

24

Addressed in the Administrative Requirements 45 C.F.R. 164.530 COVERED ENTITY (CE) must designate a

privacy official who is responsible for the development and implementation of the privacy policies and procedures of the entity

25

Health Information Designee Administrator, alternate DSD – Provides training and orientation

with assistance from the ‘MRD’ an the HIM Consultant

The AHIS HIM-CONSULTANTHIM-CONSULTANT

26

164.530 requires Facility to Provide a process for

individuals to make complaints regarding privacy violations(d)

File complaints without fear of retaliation (g) Designate a contact person for receiving

complaints(a)(1)(ii) Document complaints received and their

disposition

27

Cooperate with Federal Investigations of complaints

Sanction Members of the Workforce who violate privacy(e)

Mitigate to the extent feasible any harm caused by the violation( f)

28

What are other complaints that are happening in the facility from your residents/family, etc., that may extend to Privacy complaints. How are they handled? Are they discussed at standup?

How are complaints reported? Are complaints followed up/resolution doc?

29

The Security Official shall be responsible for the electronic requirements, the encryption, security of all types of e-equipment that includes resident identifiers and Protected Health Information

Conduct risk assessment re: breach and impermissible use

As sure with coordination of Privacy Official Notice to Office of Civil Rights of any breach of unprotected PHI

30

Conduct exercise here…

31

TOGETHER WE PROTECT PHI

32

Ongoing training, and specific training to key personnel as it relates to their duties NEW EMPLOYEES

33

34