3/19/2016 1 Advanced HIPAA 2016 Abbie Miller, MCS-P Today’s Agenda • A HIPAA eye toward social media and texting • Please get your Business Associate agreements in order! • Some definitions pertaining to HIPAA Privacy • Dispose of patient information correctly • New and existing employees must be trained, and it must be documented What is the HIPAA Privacy Rule? • Standards that address the use and disclosure of individuals’ protected health information or PHI by covered entities • Standards for individuals' privacy rights to understand and control how their health information is used
51
Embed
Advanced HIPAA 2016 - KMC University HIPAA MT... · 3/19/2016 13 3. Write HIPAA Policies & Procedures Phone Messages/ Appt. Reminders •Reminders are good •Postcards are ok •Answering
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
3/19/2016
1
Advanced HIPAA 2016
Abbie Miller, MCS-P
Today’s Agenda
•A HIPAA eye toward social media and texting
•Please get your Business Associate agreements in order!
•Some definitions pertaining to HIPAA Privacy
•Dispose of patient information correctly
•New and existing employees must be trained, and it must be documented
What is the HIPAA Privacy Rule?
•Standards that address the use and disclosure of individuals’ protected health information or PHI by covered entities•Standards for individuals' privacy rights to understand and control how their health information is used
3/19/2016
2
Should You Bother With Compliance?
Cardiac Practice Fined for Not Shielding Patient Info
Should You Bother With Compliance?
Federal government has fined a Phoenix cardiac medical practice $100,000 for posting patient appt. information online
Should You Bother With Compliance?
..agreed to pay penalty to settle violations of HIPAA…
3/19/2016
3
Should You Bother With Compliance?
HHS investigations found no policies and procedures and few safeguards to protect PHI
Should You Bother With Compliance?
…also didn’t have documentation of trained employees, no risk analysis conducted, no privacy or security official
Some Definitions
• Covered Entity: any provider who transmits or receives health information in electronic form in connection with a covered electronic transaction.
• Business Associate (BA): A person or company that acts on behalf of a covered entity performing functions that involve the use or disclosure of PHI.
• Protected Health Information(PHI): Individually identifiable health information that is maintained or stored in electronic or any other form or medium. It includes demographic and financial information about the patient.
• Electronic Protected Health Information (ePHI): Individually identifiable health information that is transmitted, maintained, or stored in electronic form.
3/19/2016
4
7 Steps to Achieve Privacy Compliance
1. Install a Privacy Officer
2. Define Minimum Necessary for Your Office
3. Write HIPAA Privacy Policies and Procedures
4. Customize Your NPP (Notice of Privacy Practices)
5. Train Your Team Members
6. Monitor Your Active Privacy Program
7. Business Associate Agreements In Place
Monitor Your Active Privacy Program
•Conduct Initial Program Audit
•Conduct Regular Self-Audits•Privacy Program
Audits• NPP Acknowledgement
Audits
1. Install a Privacy Officer
Be careful to choose someone who:• can understand the
rules and guidelines that govern HIPAA• can acquire all new
HIPAA rules and regulations and stay updated on any changes• can comfortably work
alongside practice leadership personnel
3/19/2016
5
1. Install a Privacy Officer
Privacy Officer Role•Develop, implement,
maintain and assure adherence to the Privacy Policies and Procedures for your practice
Privacy Officer Purpose•Oversee the protection
of PHI
1. Install a Privacy Officer
2. Minimum Necessary Standard
•The minimum necessary standard requires you to evaluate your practices and enhance any safeguards as needed to avoid and limit unnecessary or inappropriate access to and disclosure of PHI.
3/19/2016
6
2. Minimum Necessary Standard
•The Privacy Rule requires you to take reasonable action to limit the use or disclosure of, as well as requests for, PHI to the minimum necessary to accomplish your intended purpose.
2. Minimum Necessary Standard
•Determine your own set of standards in P&P
• Entire medical record may be appropriate in certain circumstances• Identify who needs
access to PHI to carry out duties
• Identify specific categories of PHI for each group
•Does not apply to:• Health care providers for
treatment purposes• The individual in
question• Those under
authorization• Disclosures to HHS• Required by law• Prior to 4/14/03
Common Uses and Disclosures: TPO
•Does not require signed authorization•Must list on the NPP
Treatment: Doctors can share information freely with each other
Payment: billing and collections activities; determination of eligibility
Healthcare Operations: Quality assurance, scheduling, auditing, and employee review
3/19/2016
7
3. Write HIPAA Policies & Procedures
•You are required to have written HIPAA Policies and Procedures in place for a valid HIPAA Compliance Program in your office.
3. Write HIPAA Policies & ProceduresPatient’s Right to Restrict Disclosure
•Can request restriction of info to carry out payment or HCO•Can restrict information given to a family member •Not required to agree to the restriction.•Special form should be used for documentation
•Selling a patient mailing list•Employer disclosures•Life insurance eligibility
questionnaires•Marketing and
testimonials•Must stipulate the
approved use•Have an expiration date
3/19/2016
9
3. Write HIPAA Policies & Procedures Incidental Uses and Disclosures
•Unintentional•Overhead phone conversations when answered at the front desk.•A patient passing by another room where treatment is taking place•Everyday operations
•Faxing or emailing PHI to the wrong destination•Disclosing PHI to an unauthorized person• If harmful, must be disclosed to the patient.•Always included on non-TPO disclosure log
3/19/2016
10
3. Write HIPAA Policies & Procedures Disclosure Logs and Accounting
•Patient may request accounting of all non-TPO disclosures
•All but incidental disclosures should be logged
•Not required for those with authorization, reporting neglect or abuse, law enforcement, or prior to 4/14/03
3/19/2016
11
3. Write HIPAA Policies & Procedures Use of Photographs
•Permitted but must be out of public view•As part of a testimonial or other marketing effort, you must have authorization•Can include in electronic or paper form
3. Write HIPAA Policies & Procedures Faxes
PRIVILEGED AND CONFIDENTIAL: This document and the information contained herein are confidential and protected from disclosure pursuant to federal law. This message is intended only for the use of the Addressee(s) and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that the use, dissemination, or copying of the information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.
3. Write HIPAA Policies & Procedures Emails
This email, including any attachments, may include PRIVILEGED AND CONFIDENTIAL information and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient, or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message, and delete this email immediately.
steps back from counter• Curtains or screens• Speaking quietly• Files turned backward • Folders marked
confidential• All faxes/email that
contain PHI marked confidential
• Fax machines secure locations
3. Write HIPAA Policies & Procedures EOB’s and COB’s
•When coordinating benefits, blacken any other patient’s PHI on EOB•Clear out anything that does not apply to the claim•Otherwise is a violation of HIPAA law.
3/19/2016
14
3. Write HIPAA Policies & Procedures Oral Communication
•Overheard conversations are unavoidable
•Phone conversations are ok
•Training situations
•Calling out patient’s name is not a violation
3. Write HIPAA Policies & ProceduresPatient’s Right to Access Information
•Patient will request in writing•Must act upon this
within 30 days if onsite, 60 if written notice•Can be in summary
form if agreed to•May charge a
reasonable fee
3. Write HIPAA Policies & Procedures Destruction of Medical Records
•You are responsible for wrongful disclosures due to improper disposal of PHI.
•Shred, get receipt
•Erase
•Proper disposal
3/19/2016
15
.
•Most state laws provide a maximum that can be charged for copying medical records.
•NPP says first request in 12 months is free
3. Write HIPAA Policies & Procedures
Copying Fees
3. Write HIPAA Policies & ProceduresOther Patient Rights
•Can submit amendment to record, not a change
•Must consider amendment, don’t have to accept
•Can designate a personal rep•Deceased-legal rep• Parent usually for minor
3. Write HIPAA Policies & Procedures Disclosures to Law Enforcement
• CAN NOT disclose DNA information to law enforcement trying to locate an individual
•May use your own policies for the good of the patient
•Victims of domestic violence/abuse•Privacy Rule does not interfere with federal or state laws
•Handled by your office Privacy Compliance Officer•Patients may not be forced to waive their right to complaints as a condition of treatment
•Step 1: PCO formally files complaint within their office-complaint form•Step 2: PCO tries to resolve complaint within their office•Step 3: If patient persists, instruct to file with Office for Civil Rights
3. Write HIPAA Policies & Procedures
3. Write HIPAA Policies & Procedures
•Have a policy & procedure for every area of PHI risk as well as for patient rights•Include:•Faxes & emails•Phone calls•Neglect/abuse•Etc.
3/19/2016
17
4. Customize Your NPP (Notice of Privacy Practices)
•HIPAA gives your patients a right to be informed of the privacy practices of your office•HIPAA gives patients the ability to be informed of their rights concerning HIPAA privacy
4. Customize Your NPP (Notice of Privacy Practices)
•A statement from the provider to the patient on how the patient’s PHI will be handled and protected by the office.
•Must be provided on or before the first delivery of service, except in an emergency.
3/19/2016
18
4. Customize Your NPP (Notice of Privacy Practices)
•Must make a good faith attempt to obtain a written acknowledgement that they have received a copy of your NPP.
5. Train Your Team Members
•Ongoing training required, updates•Access PHI on “need to know” basis•Keep employment records separate from treatment records•Fully explain sanctions for failure to comply.
3/19/2016
19
3/19/2016
20
6. Monitor Your Active Privacy Program
•Conduct Initial Program Audit
•Conduct Regular Self-Audits•Privacy Program
Audits• NPP Acknowledgement
Audits
Audit Your Privacy Program
3/19/2016
21
Audit Privacy Safeguards
Audit Privacy in Patient Charts - NPP
7. Business Associate Agreements
•Must comply directly with HIPAA Privacy
•A person or entity that provides certain functions on behalf of the covered entity
•Not a member of the provider’s work force
•A CE who discloses PHI to providers for TX are NOT business associates
3/19/2016
22
Who are Business Associates?
•Vendors or other external entities that are considered business associates must also be considered part of a healthcare organization's security plan. All linked organizations should be properly identified and have signed a business associate agreement. This will ensure all involved parties are aware of what is mandated by HIPAA. Internal policies such as privacy notices and breach notifications should not be overlooked because they are as critical as the technology aspect.
7. Business Associate Agreements
The Privacy Rule requires that you obtain satisfactory assurances from your business associate that they will appropriately safeguard the PHI it receives or creates on behalf of your office. The satisfactory assurances must be in writing in the form of a contract or other agreement between yourself and the business associate.
•You must provide only the minimum necessary access to ePHI that is necessary for a team member to do his/her job.
Step 5: Policies & Procedures:Workforce Security
Step 5: Policies & Procedures:Workforce Security
3/19/2016
31
Step 5: Policies & Procedures:Contingency Plan
•A Contingency Plan is needed to implement strategies for recovering ePHI should an office have an emergency or occurrence that disrupts critical business operations. •ePHI must be available
when needed, and your contingency planning determines what is necessary in the event of a power outage or other occurrence.
Step 5: Policies & Procedures:Contingency Plan
•You must establish and implement, as needed, policies and procedures for responding to emergencies (•Your Contingency Plan must include Disaster Recovery Plan and Emergency Mode Operations Plan
Step 5: Policies & Procedures:Contingency Plan
3/19/2016
32
Step 6: Policies & Procedures:Train Your Team Members
Step 7: Monitoring Ongoing Security Processes
• Ensure your security plans, policies and procedures continue to adequately protect your ePHI • Implement an ongoing
monitoring and evaluation plan•A technical and non-
technical evaluation of your security controls and processes must be done to document any needs for change
3/19/2016
33
Step 7: Monitoring Ongoing Security Processes
•All appropriate areas and employees must be included in the evaluation. •When an environmental or operational change has occurred that could significantly affect your ePHI, you must conduct an evaluation.
•Breaches presumed reportable unless after performing a risk assessment (applying four factors) it is determined there is “a low probability of PHI compromise”
HIPAA Omnibus Rule - Breach
•1) Nature and extent of the PHI involvedconsider:•Sensitivity of the information from a
financial or clinical prospective• Likelihood the information can be re-
identified
HIPAA Omnibus Rule - Breach
•2) The person who obtained the unauthorized access
consider:•Does this person have an independent
obligation to protect the confidentiality of the information
3/19/2016
39
HIPAA Omnibus Rule - Breach
•3) Whether the PHI was actually acquired or accessed
consider:•Was the exposed PHI actually accessed
by anyone who may have had the ability to access or acquire
HIPAA Omnibus Rule - Breach
•4) The extent to which the risk has been mitigated
consider:•Getting a signed confidentiality
agreement from the recipient
HIPAA Omnibus Rule - Breach
•No need for independent entity to conduct risk assessment
•No need to conduct assessment if notification is made
•Take steps to reduce risks in future
•Must still adhere to requirements for individual notification, HHS notification, and media posting where applicable
3/19/2016
40
HIPAA Omnibus Rule - Disclosures
At the patients request, you may NOT disclose information to a patient’s health plan if they have paid out of pocket for their care.
HIPAA Omnibus Rule - Disclosures
3/19/2016
41
HIPAA Omnibus Rule - Marketing
•New rules limit circumstances when you can provide marketing communication to your patients WITHOUT written authorization
HIPAA Omnibus Rule - Marketing
1) the physician receives no compensation for the communication;
2) the communication is face-to-face;
3) the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit);
HIPAA Omnibus Rule - Marketing
4) the communication involves general health promotion, rather than the promotion of a specific product or service; or
5) the communication involves government or government-sponsored programs.
Physicians are still permitted to give patients promotional gifts of nominal value.
3/19/2016
42
HIPAA Omnibus Rule - Copies
•Changes to timeframes and fees for patient’s written requests of PHI
•You have 30 days (with ONE 30 day extension)
HIPAA Omnibus Rule - Copies
•Must provide access to EHR and other electronic records in electronic form of patient requests
• “readily reproducible”
•Otherwise, must be in another mutually agreed upon electronic format
•Hard copies only ok when individual refuses all e-formats
HIPAA Omnibus Rule - Copies
•You must consider transmission security when emailing PHI
•You can send in unencrypted email if the patient is made aware of risks and still requests
3/19/2016
43
HIPAA Omnibus Rule - Copies
•New rule modified the costs that may be charged to the patient for copies• include labor costs
• supply costs if the patient requests a paper copy
• if electronic, the cost of any portable media (such as a USB memory stick or a CD)
• Must follow state law if a lower reimbursement rate is set.
HIPAA Omnibus Rule - NPP
•NPP must be update NPP
• Include:•New breach notification
guidelines•Updated patient rights
concerning disclosures to health plans•Marketing using PHI
HIPAA Omnibus Rule - NPP
•Post revised NPP
•Make copies available•All new patients•Anyone who requests
•Must make a good faith attempt to obtain a written acknowledgement that they have received a copy of your NPP.
3/19/2016
45
New Rules – Game Changer?!
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Massachusetts provider settles HIPAA case for $1.5 million
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of their patients’ protected health information and retain an independent monitor to report on MEEI’s compliance efforts. OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR’s investigation indicated that while MEEI’s management was aware of the Security Rule, MEEI failed to take necessary steps to comply with the requirements of the Rule, such as such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.
Does Enforcement Happen?
HHS Settles with Health Plan in Photocopier Breach Case
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.
HIPAA Social Media and Texting Woes
•In today’s world of Social Media dominance, it’s easy to forget that HIPAA violations are a real concern
•Texting is also considered “electronic means”
3/19/2016
47
Scenario #1
•Associate doctor leaves to open new clinic•Calls his buddy the CA and asks her to take pictures of a patient’s x-rays and text them because he doesn’t have time to wait for them to send them through the mail
Scenario #2•CA posts on Facebook
“Just met (name of famous football player)… he is such a nice guy”
• Friend replies, “How did you meet?”
•CA replies, “Came in to get adjusted for low back problem”
•Profile reveals CA works at ABC Chiropractic
General Rules of Thumb
Don’t talk about patients, even in general terms.
•It’s too easy to identify patients by geography, circumstances, etc.
•A simple slip up can have far-reaching effects
3/19/2016
48
General Rules of Thumb
When providing educational content on your site, blog or Facebook page, avoid specifics
• OK to be general like, “Low back concerns of XYZ nature often present with these symptoms…”
• Never point out a specific case with any particulars that could be traced back to a patient
General Rules of Thumb
If you wouldn’t say it in the elevator, don’t put it online.•You can try speaking
your post out loud before hitting the enter key. •You are always
representing your office and your profession
General Rules of Thumb
Don’t mix your personal and professional lives.•Use separate accounts for your
personal and professional lives • Don’t friend patients on
Facebook • Check privacy settings often and
assume that anything you put online could become public• If you want to have a
professional presence on Facebook, create a page apart from your personal account
3/19/2016
49
General Rules of Thumb
Only use your cell phone for business texts if PW protected• Don’t use for
appointment scheduling or for having a whole conversation about a condition
• This becomes part of the medical record
• Need to be able to track and document
Record Retention
•HIPAA related documents are retained for 6 years
•Applies to authorizations, audit records, CA agreements, and contracts
Destruction of Medical Records
•You are responsible for wrongful disclosures due to improper disposal of PHI.•Shred, get receipt•Erase•Proper disposal—not sitting around in office
3/19/2016
50
Know What Happens if you Sell Your Practice
• HIPAA allows for the exchange of PHI without a written release between current and prior, or contemporaneously treating
• Does not permit the handover of PHI from one doctor to another, without the patient’s written permission, when a practice is being sold
• Dr. A does not know if all of his/her former patients are going to treat with Doctor B. For this reason, Dr. A cannot just hand over patients’ confidential records to Dr. B
• Just handing the records over to the purchasing practitioner or corporate entity may seem expedient, but it is a HIPAA violation
Possible Solutions• Patients may not stay with new provider
• May make sense for the purchasing practitioner to agree to retain the records on site, essentially providing storage services for the selling practitioner’s records
• Seller and purchaser enter into a contractual agreement that the purchaser will provide the seller with access to the physical record upon reasonable notice (such as two business days), and that the purchaser will not release or dispose of any original records without the seller’s written permission
• As a part of this process, it will be necessary for seller and purchaser to execute a BAA, which helps ensure compliance with HIPAA’s requirements
Authorization is Required
•Patients who elect to stay with new provider can sign authorization
•New provider can then legally access the stored records
•Authorization is kept on file
3/19/2016
51
HIPAA is a Process…Not an Event
•Implementation requires commitment
•Don’t try to do it alone
•Realize, that like OIG Compliance it’s a process that will be ongoing, evergreen
•Take the first step to update what you have in place with these new forms and procedures
•Have fun! Helping Increase Paperwork Across America!