HIPAA & HITECH

Confidentiality

Audio Enabled

This course has an audio track. Please ensure your speakers are turned on.

Volume can be adjusted using the controls on the bottom left.

Course Agenda

HIPAA & HITECH

Privacy Beyond HIPAA & HITECH

Clinic Responsibilities

Resources

Target AudienceThis course is required for all employees, interns, board members and certain volunteers

Course LengthThis course takes about 30 minutes to complete

Course CompletionYou must complete the learning module and the assessment to receive credit for this course

Recognize HIPAA & HITECH requirements

Identify situations where privacy could be at risk and take appropriate action

Know when and where to report issues and/or seek help

Upon completing this course, you will be able to:

Objectives

Why Privacy Matters

The healthcare environment is subject to a growing number of regulations and enforcement activities

HIPAA and HITECH are federal laws with legal consequences for violations. They protect privacy, confidentiality and security of “individually identifiable health information”

Other privacy laws protect confidential business information

General Principles for Uses and Disclosures

A major purpose of privacy regulations is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities

A covered entity, such as the Open Door Clinic, may not use or disclose protected health information, except as the Privacy Rule permits or as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing

Privacy & Non-Clinical Roles

Privacy goes beyond employees in clinical assignments

Non-clinical staff, interns, volunteers, and board members could be exposed to confidential information making it important to understand the basic tenets of privacy

Understanding Open Door requirements will help ensure your success and avoid inadvertently putting the clinic at risk

HIPAA and

HITECH

HIPAA and HITECH

Covered Entities are Health Plans, Health Care Clearinghouses or healthcare providers who transmit health information electronically in connection with certain administrative or financial transactions standardized under HIPAA and HITECH.

HIPAA and HITECH regulations must be followed by employees, third party contractors and volunteers.

HIPAA and HITECH provide federal protections for individually identifiable health information (i.e., protected health information or “PHI”) held by Covered Entities and Business Associates and gives patients increased control over the use and disclosure of their health information.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. The U.S. Department of Health and Human Services (HHS) issued major revisions to HIPAA's privacy and security regulations in 2013.

The Health Information Technology for Economic and Clinical Health Act (HITECH) implemented new rules for the accounting of disclosures of a patient's health information, extending existing disclosure requirements to electronic health records (EHR).

What

Why

Who

Protected Health Information (PHI)

Over time, the U.S. Department of Health and Human Services (HHS) has issued several regulations to implement HIPAA requirements and new requirements under HITECH

The Privacy Rule standards address the use and disclosure of protected health information (PHI) in any form by the Covered Entities

Protected Health Information (PHI) refers to individually identifiable health information – meaning the information can be linked to a particular person

Examples of Individually Identifiable Health Information

• Name

• Address

• Employer

• Relatives’ names

• Date of Birth

• Telephone and fax numbers

• e-mail addresses

• IP addresses (Web URL)

• Social Security Number

• Medical Record Number

• Member or account number

• Any device or vehicle serial number

• Voice/fingerprints

• Photos

• Admission date

• Discharge date

• Date of Death

• Health plan beneficiary numbers

• Account numbers

• Full-faced photographic images

• Any other unique identifying number,

characteristic, or code

Minimum Necessary Principle

The “minimum necessary” principle requires that use, disclosure, or requests for PHI be limited to the “minimum necessary” needed to perform the specified job or function and that access to such PHI is limited to only those individuals who require it to perform their assigned activity

System security supports us in meeting the minimum necessary principle

2013 Updates – Overview

Highlights

NPP

• Breach notification requirements

• Disclosures to health plans• Marketing communications• Disclosures after death• Sale of PHI

The final Omnibus Rule of 2013 expands the obligations of health care providers to protect patients’ protected health information (PHI), extend these obligations to business associates who have access to PHI, and increase the penalties for violations of any of these obligations.

New rules include impact to clinic confidentiality policies and procedures in several areas, including:

• Copies of e-PHI• Emailing PHI• Charging for copies of

e-PHI or PHI• Research

authorizations

Notice of Privacy Practices (NPP) must be amended under the new rules to reflect all of the changes highlighted above. Because of the significance of these changes, the revised NPP must be made available in our offices to all new patients and to anyone else on request.

2013 Updates – Business Associate Agreements

What

Who

The new rules expand the universe of individuals and companies that must be treated as business associates to include Patient Safety Organizations and others involved in patient safety activities, health information organizations like e-prescribing gateways or health information exchanges that transmit and maintain PHI, and personal health record vendors that practitioners sponsor for their patients.

Under the Omnibus Rule, certain key changes impact the area of Business Associate Agreements:•The definition of Business Associates has been enlarged•The liability and obligations of Business Associates has been expanded so that they are directly liable for HIPAA Privacy and Security rules•A new standard has been established for privacy breach notification

As a result of these changes, Open Door will be reviewing and entering into new Business Associate agreements with those who create, receive, store, maintain or transmit PHI on our behalf.

HIPAA/HITECH Enforcement & Penalties

HIPAA and HITECH rules are enforced by the Office for Civil Rights (OCR) of HHS and the Department of Justice

State attorneys general may also bring civil actions in federal court on behalf of their citizens who are harmed by a violation

HITECH creates a tiered system for HIPAA civil violations/penalties, up to $1.5M per calendar year

Criminal penalties will apply against a person (including an employee or other individual) where PHI is maintained by a Covered Entity and the individual obtained or disclosed the information without authorization in violation of HIPAA

Civil

Criminal

Who

HIPAA is an acronym. Listed below are two options for the words that it represents.

Please click the correct answer.

Health Insurance Privacy and Accessibility Act

Health Insurance Portability and Accountability Act

Let’s Check Your Understanding

HIPAA stands for the Health Insurance Portability and Accountability Act

HIPAA is a federal law that sets rules for health care providers and health plans about who can look at and receive health information

The HIPAA Privacy Rule ensures individuals have rights over their health information, including the right to get one’s own information, make sure it’s correct, and know who has seen it

You’re right!

Good try but not the right answer!

HIPAA stands for the Health Insurance Portability and Accountability Act

HIPAA is a federal law that sets rules for health care providers and health plans about who can look at and receive health information

The HIPAA Privacy Rule ensures individuals have rights over their health information, including the right to get one’s own information, make sure it’s correct, and know who has seen it

Privacy Beyond HIPAA and

HITECH

Privacy Beyond HIPAA & HITECH

Confidential data beyond PHI includes•Clinic business information (financial data, grant info, etc.)•Employee information (salary, performance, etc.)•Proprietary software or tools

A variety of legislation protects other confidential data that you may encounter in the course of your work

Regulations must be followed by employees, third party contractors and volunteers

What

Why

Who

Clinic Responsibilitie

s

Open Door Clinic Responsibilities

• Health Centers are considered Covered Entities under HIPAA and HITECH and have responsibility to train the workforce, including interns and certain volunteers, on privacy and security requirements

• Additional responsibilities include:

‐ Limit use and disclosure of PHI to only the minimum necessary needed to accomplish a task, service, or activity

‐ Develop policies and procedures to control access to, and the use of, PHI

‐ Implement reasonable safeguards to limit incidental uses and disclosures

‐ Institute physical and technical controls that limit access to PHI by members of the workforce to fulfill the Minimum Necessary Principle

Collaboration: How We Work with Data

What When

• Patient data with identifying information removed

• Only on clinic premises and resources – never remove

Where

• Only on clinic premises and resources – never remove

PHI &/or Confidential

Data

De-Identified Data

Mock Data

• Fictitious data created for demonstration or simulation purposes

• Preferably worked on clinic premises and resources

• Extremely restricted• Example: intern or

volunteer helping scan records into EMR

• Restricted• Example: R&D staff

analyzing ethnicity and age for planning marketing campaign

• Controlled• Example: intern with

expertise in excel teaching staff how to manipulate data

Communication: Inside & Outside the Clinic

Inside the Clinic

Outside the Clinic

• PHI is not discussed in the presence of members of the general public.

• PHI is not disclosed to friends or family of a patient without permission.

• Access to PHI is controlled physically and electronically. Be careful to immediately pick up confidential information that you print, lock up physical files, and close down computer files when stepping away from your desk.

• Do not show recognition of a client verbally or non-verbally in public, unless they acknowledge you first.

• PHI is never discussed in a public setting.

• PHI is not emailed without the requesting individual being advised of the risk and still requesting such transmission in writing. Similarly, we don’t leave phone messages without written permission to do so.

A health center is transitioning from paper to electronic medical records. A volunteer is asked to scan patient records into an electronic format

Is this an appropriate activity for a volunteer?

Yes

No

Let’s Check Your Understanding

Scanning records is an appropriate activity

Volunteers may have access to PHI when directed and the complete data is necessary to complete the task

Any volunteer who will be accessing patient records should complete Confidentiality training before beginning the scanning

Also, the volunteer should only access the PHI that is necessary to perform the scanning (e.g. they should not be reading records)

You’re right!

While it’s wise to be cautious about being exposed to PHI, scanning records is an appropriate volunteer activity.

Any volunteer who will be accessing patient records should complete Confidentiality training before beginning the scanning

Also, the volunteer should only access the PHI that is necessary to perform the scanning (e.g. they should not be reading records)

Good try but not the right answer!

HRSA has a site visit scheduled. In preparation, you need to audit multiple client charts with PHI and you’re afraid that you don’t have time to complete what’s necessary.

How would you proceed?

Stay at the clinic late into the evening to finish the project – the data stays at Open Door as it should

Put the data on a thumb drive and take it home to work – you can meet the deadline and balance your life

What would you do?

Borrow a laptop from Open Door and take it home – you are using a clinic asset to work on your project so it’s okay

Work with your manager to see if another employee can assist you in completing the project during work hours

You’re right!

The best approach is to talk with your manager and see if another employee can assist you in conducting the audit during work hours.

Your answer shows that you recognize that you should not remove PHI from the clinic – whether hardcopy, on a thumb drive or a clinic laptop.

Another option is to stay at the clinic into the evening to finish your audit, however, that should only occur if you and your manager cannot find another way to accomplish the task during work hours.

No, that’s not the correct answer!

The best approach is to talk with your manager and see if another employee can assist you in conducting the audit during work hours.

You should not remove PHI from the clinic – whether hardcopy, on a thumb drive or a clinic laptop.

Another option is to stay at the clinic into the evening to finish your audit, however, that should only occur if you and your manager cannot find another way to accomplish the task during work hours.

Resources&

Summary

Your Responsibilities

Become familiar with Open Door’s confidentiality policies

Elevate incidents, questions or concerns to Open Door’s Assistant Director, who oversees compliance

Adhere to data handling guidelines ‐ Limit your access to PHI in

accordance with the Minimum Necessary Principle

‐ Don’t ever take PHI outside the clinic

Locating Additional Resources

• Open Door Employee Toolkit

• HIV/AIDS Confidentiality Course

• Other Questions & Concerns

Open Door Compliance, headed by Assistant Director Perry Maier

Please share examples of HIPAA/HITECH Confidentiality situations so we can continue to enhance this training

Always report any questionable situations

You have successfully completed the course… you should be able to

Recognize the scope of confidentiality requirements HIPAA and HITECH rules set standards and limits on who can look at

and receive health information Remember that interns and volunteers are considered members of

the Health Center workforce and must comply with HIPAA and other privacy protections

Identify situations where privacy could be at risk and take appropriate action to limit access to PHI Privacy is at risk whenever PHI is involved No PHI may ever be removed from the center

Know when and where to report issues and/or seek help

Certification Quiz

Please advance into the next section to complete the accompanying Certification Quiz in order to receive credit for course completion

• For additional questions about the course, please email PerryM@opendoorclinic.org • For additional questions about the course, please email PerryM@opendoorclinic.org

You have completed the course and may now exit

Thank you!