Loading presentation...
Prezi is an interactive zooming presentation

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

HIPAA ANNUAL TRAINING:

No description
by

cody walker

on 24 December 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of HIPAA ANNUAL TRAINING:

HIPAA stands for the Health Information Portability and Accountability Act
A federal law that specifies administrative simplification provisions that:
Protects the privacy of patient information both electronic and physical
Requires “minimum necessary” use and disclosure
Specifies patient rights to approve access and use of their medical information
Provides a complaints process that accepts, records, and investigates patient complaints
Designates a Privacy Official

What is HIPAA?

Health Information Technology for Economical and Clinical Health

Updated the standards for HIPAA privacy and security provisions
Required notification of breach of security /privacy
Increased fines and penalties for privacy violations
Patient right to restrict disclosure to health plans for services self paid in full (hide rule or self-pay restriction)
Mandates that Business Associates are directly liable for compliance with HIPAA provisions

What is HITECH

All Huntsville Pediatric and Adult Medicine Associate employees must be trained on HIPAA policies and specific procedures which may affect the work you do. The rules apply to you when you look at, use, or share protected health information.

How HIPAA Applies to You

Protected Health Information (PHI) is:
Any information related to a patient’s past, present, or future physical and/or mental health or condition
Includes at least one of 18 personal identifiers
Can be in any form: written, spoken, or electronic (x-rays, video, and photographs)
Excludes information on individuals who have been deceased for 50 years or greater.

Protected Health Information

Medical record number
Health plan beneficiary #
Device identifiers and their serial numbers
Vehicle identifiers and serial number
Biometric identifiers (finger/voice prints)
Full face photos and other comparable images
Any other unique identifying number, code, or characteristics

Name
Postal address
All elements of dates except year
Telephone number
Fax number
Email address
URL address
IP address
Social security number
Account numbers
License numbers
Protected Health Information Identifiers

Anyone who works with or may view health, financial, or confidential information with HIPAA protected health identifiers
Everyone who uses a computer or electronic device which stores and/or transmits information
All medical staff
Administrative staff with access to PHI
Accounting and payroll staff
Researchers and staff investigators
Almost EVERYONE, at one time or another

Who uses PHI

In order for Huntsville Pediatric and Adult Medicine Associates to use or disclose PHI:
Each patient must receive and sign a Notice of Privacy Practice that:
Describes how HPAM may use and disclose the patient’s PHI
Advises the patient of his/her privacy rights
HPAM must attempt to obtain the patient’s signature acknowledging the receipt of the Notice. In emergency situations, if the signature is not obtained, document the reason why it was not.


Use or Disclosure of PHI

Notice of Privacy Practice allows PHI to be used and disclosed for purposes of TPO
Treatment (T), Payment (P), and Operations (O)
TPO includes teaching, medical staff/peer review, legal, auditing, customer service, business management, and releases mandated by law
HPAM must have a Business Associate Agreement with vendors who will use or potentially have access to PHI when providing a service for Institute for Life Enrichment

Notice of Privacy Practice for PHI

Ways in which you can ensure a patient’s information is protected
Treat all information as if it were about you or your family
Do not discuss confidential patient information in hallways, break room, restroom, etc.
Shred all documents, and CDs with patient information before discarding
Don’t discuss with family, friends, or people in the facility who are not directly involved in treatment, payment or operation.
Don’t leave charts, schedules or leave open documents on your computer that may contain patient information in plain view.
Access only the information you are authorized to access
Do not share passwords with anyone
Do not allow visitors or patients in areas where charts are stored
Conduct telephone conversation with regard to confidential patient information in a discreet manner.

Protecting a Patient’s Privacy

It’s common sense
Use information only when necessary to perform your job duties
Use only the minimum necessary to perform your job duties
Ask if you do not know


Remember

Do not share any patient information on social media
Information obtained from your patient/provider relationship is confidential
Posting information without authorization is a violation of the patient’s right to privacy and confidentiality
Even if you think you’ve de-identified the information, it still might be identifiable to others
NOTE: de-identification of PHI requires removal of all 18 PHI identifiers

Patients may see normal clinical operations as violating their privacy
Be aware of your surroundings when talking
Do not leave PHI on answering machines
Ask yourself” what if it was my information being discussed like this?”

Verbal Exchanges

Know Where You Left Your Paperwork

Double check !!
Verify that you are giving documents to the correct patient.
Check printers, copiers and faxes when you are done using them.
Don't leave hard copies of
PHI laying on your desk


Privacy breach occurs when information is:
Physically lost or stolen
Paper copies, films, tapes, electronic devices
Misdirected to others
Verbal messages sent to or left on wrong voicemail or wrong person
Mislabeled mail, misdirected email
Wrong fax number, wrong phone number
Placed on Internet, websites, Facebook, Twitter

Privacy Breach from Lost, Stolen, or Misdirected Information

As an employee of HPAM, you are responsible to follow policies and procedures to protect the privacy and security of all protected Health information.

When you suspect or know of a breach you must report it to the privacy officer IMMEDIATLEY

Good security standards follow the “90/10” Rule:
10 % of security safeguards are technical
90 % of security safeguards rely on the computer user (YOU) to adhere to good computer practices

Security of Electronic Patient Information (ePHI)

You are responsible for protecting your user ID
You are responsible for protecting your password
You are responsible for logging out of programs that access PHI when not in use
Privacy violations carry penalties to include fines, termination from employment and imprisonment
Immediately report any known or suspected privacy breaches to the Privacy officer at x 8926

Ensure your computer and data are secured by using locked drawers, placed in secure areas, etc.
Create strong passwords and do not share your passwords
Logoff the terminal when you are done, or even if you walk away
Use a privacy screen
Lock your PC using Ctrl + Alt + Delete
Use passwords to start or wake up your computer

Computer Security

Scenarios

Question and Answer
Health and Human Services- understanding HIPAA: www.hhs.gov/ocr/privacy
Texas Medical Association Legal section: www.texmed.org
Texas Medical Association Polices and Procedures
HIPAA Privacy Rule: what employers need to know: www.twc.state.tx.us/news/efta/hipaa

HIPAA Resources

Privacy and Security Training explains:
The requirements of HIPAA/HITECH regulations, privacy laws and procedures that protect the privacy and security of confidential data
How these affect your job
What information must be protected
Your responsibilities for good computer practices
How to report privacy and security breaches

Course Objectives

I do not work with patients or have access to medical records, however I see patients pass by my desk in the clinic. Can I talk about the patients with my coworkers, family and friends even if it has nothing to do with my job?



A. You may not discuss any patient information with anyone unless required for your job
B. You may only talk about the patient with coworkers
C. You may only talk about the patient with your family and friends

Scenario 1

The correct answer is A.
Information can only be used as needed for your job

A. You may not discuss any patient information with anyone unless required for your job

Scenario 1 - Answer

My co-worker’s husband notified me that my co-worker was recently admitted to the Emergency Department and won’t be coming into work tomorrow. My co-worker and I have a great relationship, and I’d like to know how she’s doing. May I access her records to check on her condition?



A. It is okay as we are friends, so I’m sure she wouldn’t mind me looking at her records.
B. I already have approval to access patient clinical systems, so no one will know I accessed it.
C. It is not necessary for my job, so I would be violating the patient’s privacy by accessing her records. I should contact her husband to check on her condition

Scenario 2

The correct answer is C.
It is not part of your job – your access to your co-worker’s record would be for personal reasons. Therefore, accessing the record will be a violation of your co-workers privacy. Furthermore, your access to the record will automatically be recorded and is tracked. There could be serious consequences to your employment.


C. It is not necessary for my job, so I would be violating the patient’s privacy by accessing her records. I should contact her husband to check on her condition.

Scenario 2 - Answer

You are very upset because a young patient of yours has just coded and was not able to be resuscitated. You want to share this experience and your thoughts and feelings with your family and friends on Facebook. What must you consider before doing this?

A. Posting this on Facebook is OK as long as you do not identify the patient by name, or identify the hospital, and you are limiting the recipients to your friends and family.
B. You cannot post anything on Facebook that could possibly lead to identification of the patient.


Scenario 3

The correct answer is B.
Facebook is considered a public domain, and anything you post there is considered public information.
Posting clinical details is a violation of your patients right to privacy and confidentiality without authorization.
Your Facebook profile may identify your place of work and your occupation. When linked with your posting, this provides additional details that may identify the patient.
Information you obtain from your patient/provider relationship is confidential.

B. You cannot post anything on Facebook that could possibly lead to identification of the patient.

Scenario 3 - Answer

Is the Facebook post below a privacy breach?
A. Yes
B. No
Profile
Name: Jane Doe
Lives In: San Francisco, CA
Works At: Patient Coordinator at the Helen Diller Family
Comprehensive Cancer Center UCSF Medical Center



September 4, 2013 at 3:12PM:
Jane writes: “OMG, I was just face to face with someone REALLY famous in my clinic today… so sad though, she was just diagnosed with stage 3 breast cancer. :(“



Scenario 4

Scenario 4 - Answer

Profile
Name: Jane Doe
Lives In: San Francisco, CA
Works At: Patient Coordinator at the Helen Diller Family
Comprehensive Cancer Center UCSF Medical Center
September 4, 2013 at 3:12PM:
Jane writes: “OMG, I was just face to face with someone REALLY famous in my clinic today… so sad though, she was just diagnosed with stage 3 breast cancer. :(“




The correct answer is A.
Even though Jane tried to de-identify the information by omitting the celebrity’s name, it is still PHI.
Remember: PHI = Health Information + one or more of the 18 PHI identifiers
Health information: celebrity’s diagnosis (breast cancer)
Identifier: Date of service
Someone may have seen a celebrity walk to the medical center practice on 9/4/13, or saw a celebrity’s name on the practice’s 9/4/13 schedule; IF SO…
This post reveals to that the celebrity has breast cancer
Best Practice: Do not share on social media any details of a patient situation you experienced at work.


I called a patient’s phone number and left a voice mail for Mr. John Smith to contact UCSF regarding his scheduled thyroid surgery. Was this a privacy breach?


A. No, the patient provided his phone number
B. Potentially, I stated his name and medical procedure
C. No, I did not state the medical reason for the surgery

Scenario 5

The correct answer is B.
Patient name in conjunction with any medical information constitutes PHI. You do not know who will hear the message; the patient may not have told his family, friend or roommate. It is best practice to leave the minimum amount of information needed: your name, phone number, and that you are from UCSF. Never leave PHI on an answering machine. Ask your supervisor for the voicemail procedure in your area.

B. Potentially, I stated his name and medical procedure.

Scenario 5 - Answer

Start
Finish
Full transcript