06/18/22 DAVID LAWRENCE CENTER 1 Confidentiality: Confidentiality: Privacy & Privacy & Security Security (HIPAA/Release of (HIPAA/Release of Information) Information)
4/28/2015 DAVID LAWRENCE CENTER 1 Introduction to Client Confidentiality: Privacy & Security (HIPAA/Release of Information)
Dec 14, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
04/18/23DAVID LAWRENCE CENTER 1
Introduction to Client Confidentiality:Introduction to Client Confidentiality: Privacy & SecurityPrivacy & Security
(HIPAA/Release of Information)(HIPAA/Release of Information)
04/18/23DAVID LAWRENCE CENTER 2
Introduction Introduction You will learn about:
PRIVACY
-Authorization to Release Information
SECURITY -Password protection
-EncryptionSTANDARDIZATION OF TRANSACTION CODE SETS
-Standardization of HIPAA transaction standards (5010)
-Modification of Medical Data Code Sets (ICD-10-CM)
04/18/23DAVID LAWRENCE CENTER 3
HIPAA HIPAA Health Insurance Portability and Accountability ActHealth Insurance Portability and Accountability Act
Privacy – Privacy Rule protects all forms of Protected Health Information (PHI) including ePHI (electronic, paper, or
oral)Protected Health Information:
Names Relatives Names SSN
Addresses DOBEmployers Telephone and fax numbers
PHI – Protected Health Information: which is any client identifying information which if disclosed would provide identifying information about a client and / or their treatment.
ePHI – Electronic Protected Health Information any PHI that is stored, held or transmitted, either permanently or temporarily in any electronic format.
– Examples: Email, Documents (Word, Excel, PowerPoint or plain text); electronic reports saved for printing at a later date; PDA’s; Electronic Health Record; Enterprise systems; network shares.
Portability-ensures that individuals moving from one health plan to another will have continuation of coverage and will not be denied coverage under the pre-existing-condition clauses.
Accountability-significantly increases the federal governments fraud enforcement authority for privacy and security
Administrative Simplification- August 2000 standardizes electronic transmissions of health care data
04/18/23DAVID LAWRENCE CENTER 4
Client Rights to PrivacyClient Rights to Privacy
• Right to have access to their information• Request amendments to their information (DLC has the right to
approve or deny their request)
• Request revocation of their previously signed authorizations at any time; Any information previously released will not be impacted by the revocation.
• Request an accounting of disclosures
1. Paper records-Access to Records Log
2. Electronic Records-Access is monitored by IT through Profiler
Reporting System.
Accessing and Requesting Protected Health Accessing and Requesting Protected Health InformationInformation
Authorization to Release Information- must be completed and on file in order to disclose information.
-Clinical Records Department process requests on paper or in electronic format-Fees ($1.00/page) (No charge for healthcare providers, Prison Health Services, Medical Examiner,
and Department of Children and Families)
-Required to respond within 7 business days-Who can complete the Authorization to Release Information?
– Client
– Biological Parent/Guardian
– Proxy
– Guardian Ad Litem-with appropriate court documentation. Basic information is disclosed by signing the Authorization- if
additional information is requested the client must initial the items and specify if “Other”.
Authorization is not required for treatment, payment and operations.
04/18/23DAVID LAWRENCE CENTER 5
Accessing and Requesting Protected Health Accessing and Requesting Protected Health InformationInformation
Access to information may be temporarily denied to the client.
Authorization from the treatment provider to release information to the client will be required in the instances identified below:
– DCF Involvement for Abuse and Neglect
– Baker Act admission for Suicide Attempts if requested within 30 days of discharge
– Custody cases
Why is this required: If a client is requesting information that the provider feels could be harmful to that client we have the right to temporarily deny the request.
If denied the Health Information Record Denial Request must be sent to the client.
04/18/23DAVID LAWRENCE CENTER 6
04/18/23DAVID LAWRENCE CENTER 7
DLC’S responsibility to protect DLC’S responsibility to protect clients rights are:clients rights are:
Control who can access information-”Do I need to know this to do my job?”
Acknowledge/Notify client’s of their rightsHIPAA Acknowledgement Form-Client only needs to sign once, unless major changes are made to the document
Provide training to all staff Sanction Policy Policy and Procedures- Access on Center’s Intranet, Your
program supervisor or office manager and Quality Assurance.
Documentation- Assure errors in the electronic clinical record are appropriately corrected using the void function. Assure entries in clinical records are not deleted.
04/18/23DAVID LAWRENCE CENTER 8
DLC’s HIPAA Compliance DLC’s HIPAA Compliance OfficersOfficers
Privacy Officer – Sharie Boscaglia
Security Officer - Faron Richards
Facility Security - Gary Boivin
04/18/23DAVID LAWRENCE CENTER 9
Who Can see what ?Who Can see what ? DLC is consider a “Covered Entity” which requires us to comply with HIPAA
privacy and security regulations. (“covered entity” includes most providers, clearinghouses and health plans)
Any organization receiving PHI from DLC is mandated to have a Business Associate Agreement which requires them to comply with HIPAA regulations. (exceptions are those who routinely receive PHI as part of treatment, payment or operations; otherwise a specific
authorization is required) Only authorized personnel can see the physical chart or any electronic version or
representation thereof.
Authorized Personnel are defined as those individuals directly involved in treatment, billing, records or auditing of the information. These individual are allowed access and only then in direct correlation with their job responsibilities.
Clinical personnel not assigned to the treatment team are prohibited to review the chart – unless for peer review, auditing purposes or referral to program.
Administrative personnel should have limited access to the client’s record unless it directly relates to their job. (Medical Records, auditing, reporting, scheduling)
04/18/23DAVID LAWRENCE CENTER 10
SECURITYSECURITY Security
– Security covers specifically electronic PHI (ePHI) which is being held, stored or transmitted.
04/18/23DAVID LAWRENCE CENTER 11
Security Security The Security Rule requires us to establish
Administrative, Physical and Technical safeguards, to control access to electronic protected health information in order to ensure:– Confidentiality – No accidental or intentional
disclosure to unauthorized recipients.– Integrity – Data has not been altered or destroyed in
an unauthorized manner. In no instance should information be deleted from a record.
– Availability – Accessible and useable upon demand by an authorized entity.
04/18/23DAVID LAWRENCE CENTER 12
SecuritySecurity Technology has allowed us to compile a large amount of protected data in our Information
Systems. Loss of any of these systems and subsequently the loss of the data contained therein would have a devastating impact on the agency.
Technology Security –Passwords, encryption etc
Keep your passwords secret – known only to you, Never share it with anyone. You are responsible for anything done on the system under your login ID. You are never permitted to share login and password
information., this is considered a serious offense and corrective action may be taken..
Commit your password to memory and change it often If you forget your password or suspect it has been compromised in any way contact IT Helpdesk to have it reset for you. Select passwords not easily guessed. Always include at least one number and/or a special character such as $ # ! &
Never leave your system while you are logged on – always use Ctrl-Alt-Del and lock computer.
Do not write password down and leave it in a conspicuous place such as on your monitor or under the keyboard
Contingency/Disaster Plan
DLC has Security Procedures in place and can be located on the intranet.
Use common sense never leave PHI on Fax or Printer for others to see. Security is not just a computer issue . Faxing information to an incorrect fax number is considered a breach of confidentiality. The use of memory sticks and key fobs are against center policy.
Electronic access is managed by security level in Profiler which is based on provider type, tree view and treatment team participants
04/18/23DAVID LAWRENCE CENTER 13
SecuritySecurity 3 ways to enter buildings, KEY, key fobs, Electronic key pad
Discard all documents with PHI in proper locked container or use crosscut shredder.
Loading of personal computer programs on DLC computer equipment is NOT permissible.
The integrity of data on any Information System is the responsibility of every employee. Each person should verify the data they enter into the system by spot checking or data sampling to ensure it is in the proper location and is correct.
Any PHI that is going to be sent via email outside the Center must be put into a MS-Office document and encrypted. Then send via email attachment. PHI should never be included in the in “subject” line or content of email of the email. If you are required to email PHI as part of your job duties please contact IT to ensure you are following adequate password and policy procedures.
04/18/23DAVID LAWRENCE CENTER 14
Why Security is Important?Why Security is Important?
Public TrustMorally and ethically the right thing to do.Good business practiceProtection against liability claims and law
suitsAvoids financial penalties and possible
imprisonment
04/18/23DAVID LAWRENCE CENTER 15
REPORTING BREACHESREPORTING BREACHES Employees are required to notify the Privacy or Security Officer when they
breach a HIPAA standard or witness or discover any other individual breaching a standard.
We are required to follow our policy on violations and they must be enforced.
Effective November 30, 2009 HIPAA standards allow for penalties up to $250,000 per violation and up to 10 years imprisonment for breaches.
• Civil penalties of $25,000 for Failure to Comply
• Criminal penalties such as:•$50,000 fine and 1 year in prison for knowingly obtaining and wrongfully sharing information;
•$100,000 fine and 5 years in prison for obtaining and disclosing through false pretenses;
•$250,000 fine and 10 years in prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm.
04/18/23DAVID LAWRENCE CENTER 16
TRANSACTION CODE SETSTRANSACTION CODE SETS Transaction Code Sets- a set of codes
standardized by HIPAA used for billing purposes.
Improved the efficiency and effectiveness of the health care system by leading to cost reductions and improvements in benefits from electronic health care transactions.
Has enhanced security of protected health information.
04/18/23DAVID LAWRENCE CENTER 17
WHY COMPLY? WHY COMPLY?
It’s a Federal Law! There are Civil and Criminal Penalties. Enforced by the Office of Civil Rights
DLC requires it It’s a good business
practice
04/18/23DAVID LAWRENCE CENTER 18
PLEASE COMPLETE QUIZPLEASE COMPLETE QUIZ
THE END
Related Documents
