Welcome to the Wis. Dept. of Health Services Privacy Training - PowerPoint PPT Presentation

1 / 101
About This Presentation
Title:

Welcome to the Wis. Dept. of Health Services Privacy Training

Description:

Awareness Why Are You Being ... and Information Security Violations DHS considers it a serious incident anytime a privacy or security violation occurs HIPAA requires ... – PowerPoint PPT presentation

Number of Views:340
Avg rating:3.0/5.0
Slides: 102
Provided by: KathyJ4
Category:

less

Transcript and Presenter's Notes

Title: Welcome to the Wis. Dept. of Health Services Privacy Training


1
Welcome to the Wis. Dept. of Health Services
Privacy Training
  • HIPAA Privacy and
  • State Confidentiality Laws
  • Awareness

2
Why Are You Being Asked to Take This Training?
  • You work in a position within DHS that requires
    you to take HIPAA training because you work with
    protected health information (PHI)
  • The HIPAA Privacy Rule requires covered entities
    to train its workforce on the HIPAA policies and
    those specific HIPAA-required procedures that may
    affect the work you do for DHS
  • All DHS employees need to safeguard confidential
    information

3
Published Horrors
  • Following are some examples of recent
    improper disclosures which illustrate why
    confidentiality is so important
  • In the biggest loss ever of personal information
    compiled by state government, a computer disk
    containing data on 2.9 million Georgians has been
    lost in shipping. State officials, who blame
    Dallas-based Affiliated Computer Services for the
    lost CD, said it contained names, Social Security
    numbers, birth dates and addresses of people on
    Medicaid and PeachCare for Kids, but no medical
    information. (04/07)

4
Published Horrors
  • Data of all American veterans who were discharged
    since 1975 including names, Social Security
    numbers, dates of birth and in many cases phone
    numbers and addresses, were stolen from a VA
    employee's home. Theft of the laptop and computer
    storage device included data of 26.5 million
    veterans. (5/06)
  • Note The employee was later dismissed.

5
DHS Commitment to Privacy
  • Preserve the privacy of all clients and employees
  • Guard the confidentiality of health and
    confidential information
  • Maintain the integrity of all recorded
    information
  • Ensure reasonable safeguards of all electronic
    information

6
What is HIPAA? (Health Insurance Portability and
Accountability Act 1996)
  • Protects the privacy and security of a clients
    health information
  • The HIPAA Privacy Rule is the first enforceable,
    federally-mandated, comprehensive set of privacy
    rights and responsibilities
  • The Rule demands that healthcare providers and
    organizations (health plans) paying for
    healthcare have policies and processes which
    apply reasonable safeguards to health information
  • Provides for electronic and physical security of
    a patients health information

7
What is HIPAA? (Health Insurance Portability and
Accountability Act 1996)
  • Prevents health care fraud and abuse
  • Guarantees health coverage when job changes
  • Administrative Simplification
  • Establishes national standards for
  • Electronic (EDI) transactions
  • Security and privacy of health care information
  • Identifiers such as provider, payer and employer
    improved efficiency of processing health care
    information

8
State Confidentiality Laws
  • Wisconsin has enjoyed strong laws and
    regulations protecting citizens health
    information. But in many other states, their
    states laws were either much less stringent than
    ours or were not enforced. The Privacy Rule is
    not intended to replace Wisconsin or other states
    laws. The Privacy Rule doesnt override state
    laws or policies providing more privacy. The Rule
    is intended to establish minimum standards of
    privacy protection. If a state law, regulation,
    or an agencys policies are more stringent than
    HIPAA, the more stringent safeguards prevail.

9
Privacy Wisconsin Laws
  • Wisconsins confidentiality laws
  • Are similar to HIPAA in several ways
  • Will preempt or override HIPAA if Wisconsin laws
    are more stringent (i.e., give clients more
    rights or protections)
  • HIPAA provides floor but not ceiling more
    stringent state laws not pre-empted
  • Wisconsins identity theft laws (Wis. Stat.
    134.98)
  • Require that individuals be notified if security
    of their confidential information has been
    breached

10
Wisconsin Confidentiality Laws
Statute Summary
146.82, Wis. Stat. Covers general medical health care information
51.30, Wis. Stat. Covers health care information relating to mental health, AODA, and developmentally disabled
252.15, Wis. Stat. Covers health care information relating to HIV testing
HFS 92 Adm. Code Covers confidentiality of mental health treatment records
11
What does Wis. Stat. 146.82 Cover?
  • Protects the confidentiality of patient health
    care records and provides
  • Requirements for informed consent to release
    information from patient health care records
  • Exceptions that permit release of information
    without written informed consent

12
What does Wis. Stat. 51.30 HFS 92 Cover?
  • Protects the confidentiality of all records that
    are created in the course of providing services
    to individuals for mental health services,
    developmental disabilities, alcoholism or drug
    dependence and provides
  • Requirements for informed consent to release
    information from treatment records
  • Exceptions that permit release of information
    without written informed consent
  • Requirements for access by the clients, parents,
    guardians, and etc.
  • Processes and penalties for violations of the law
  • HFS 92 further operationalizes Wis. Stat. 51.30

13
What Does Wis. Stat. 252.15 Cover?
  • Restricts use of test results for HIV
  • Written consent is needed to disclose a persons
    test results

14
2008 State Confidentiality Law Changes Wis.
Stat. 51.30
  • Changes effective October 1, 2008
  • Additions to the listing of elements to be
    exchanged without the patients consent was
    expanded to include diagnostics and symptoms
  • Removal of the within a related health care
    entity (Wis. Stat. 51.30(4)(b)8G) so that
    health care information can be shared with any
    provider who is involved in the patient's care
    and needs the information to treat the patient

15
2008 State Confidentiality Law Changes Wis.
Stat. 146
  • Changes effective April 1, 2008
  • Eliminates the requirement to document all
    disclosures. Health care providers will still be
    required to document disclosures as required by
    HIPAA.
  • Allows general health information to be exchanged
    with any health care provider who is involved
    with the patients care. In the past, Chapter
    146 of Wisconsin law prohibited health care
    providers who received general patient health
    care information from providers outside their
    institution from disclosing the same information
    to a subsequent provider.

16
2008 State Confidentiality Law Changes Wis.
Stat. 146 (continued)
  • Allow health care providers to disclose health
    information to a patients family, friend or
    another person identified by the patient and is
    involved in the patients care
  • If the patient provides informal permission to do
    so
  • If the patient is not able to grant informal
    permission, a health care provider is permitted
    to use his or her professional judgment to
    determine whether disclosing the information is
    in the best interests of the patient and the
    patient would otherwise allow such a disclosure

NOTE DHS doesnt generally deal with this
provision except for the institutions.
17
Why Comply with HIPAA State Confidentiality
Laws?
  • Its the law!
  • Public expectations that well maintain
    confidentiality of information
  • Imposes severe penalties for non-compliance
  • Potential withholding of federal Medicaid and
    Medicare funds
  • Possible litigation
  • Public relations and business risk issues

18
Terms You Should Know
  • To understand HIPAA, there are some important
    terms you must know
  • They are
  • Covered Entity
  • Hybrid Entity
  • Health Care Component
  • Protected Health Information
  • Individually Identifiable
  • Information

19
Covered Entity
  • HIPAA's regulations directly cover three basic
    groups of individual or corporate entities
  • Health Care Provider means a provider of medical
    or health services, and entities who furnishes,
    bills, or is paid for health care in the normal
    course of business
  • Health Plan means any individual or group that
    provides or pays for the cost of medical care,
    including employee benefit plans
  • Healthcare Clearinghouse means an entity that
    either processes or facilitates the processing of
    health information

20
Hybrid Entity
  • A Hybrid Entity is
  • A single legal entity whose business activities
    include both non-covered and covered functions
    (i.e., as a provider or health plan)
  • The hybrid entity is the covered entity
  • DHS is a hybrid entity
  • The hybrid entity is responsible for ensuring
    that its health care components comply with the
    rules

21
Health Care Component
  • A health care component is a component of a
    covered entity that performs covered functions
    that qualify the component as a Health Care
    Provider, Health Plan or Health Care
    Clearinghouse
  • DHS is made up of health care components (often
    called covered health care components)

22
What is DHS Responsibility as a Hybrid Entity?
  • Identify its covered health care components
  • Identify components that act as a business
    associate to covered health care components
  • Erect firewalls between covered and non-covered
    components
  • Ensure compliance with HIPAA by covered components

23
Who is Covered in DHS?
  • Health Care Providers
  • Mendota MH Inst.
  • Winnebago MH Inst.
  • Sand Ridge
  • WI Resource Center
  • N. WI Center
  • Central WI Center
  • S. WI Center

24
Who is Covered in DHS?
  • Health Plans
  • BadgerCare/Plus
  • Chronic Disease Program
  • Medicaid
  • Senior Care
  • WI Well-Woman Program
  • WI Partnership/PACE Programs
  • Family Care
  • Healthy Start
  • Medical Assistance Purchase Plan
  • Community Options Program Waiver
  • Community Integration Programs II, 1A 1B
  • Brain Injury Waiver Program
  • Childrens Long-Term Support Waiver Program

25
What is Protected Health Information (PHI)?
  • Name
  • Address (geographic subdivisions smaller than a
    State)
  • Street address
  • City
  • County
  • Zip code/equivalent geocodes
  • E-mail address
  • Dates (except years)
  • Birth date
  • Admission/discharge dates
  • Telephone numbers
  • Fax numbers
  • Social security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including
    license plate numbers
  • Device identifiers and serial numbers
  • URLs
  • IP Addresses
  • Biometric identifiers
  • Full face photographic images
  • Any other unique identifier or codes
  • Note These are the data elements that need
    to be removed in order for the data to be
    considered de-identified.

26
Individually Identifiable Health Information
  • Any information, including demographic
    information collected from an individual, that
  • a) Is created or received by a health care
    provider, health plan, employer, or health care
    clearinghouse and
  • b) Relates to the past, present, or future
    physical or mental health or condition of an
    individual, the provision of health care to an
    individual, or the past, present, or future
    payment of the provision of health care to an
    individual, and
  • (i) Identifies the individual, or
  • (ii) With respect to which there is a reasonable
    basis to believe that the information can be used
    to identify the individual

27
Privacy Rule Objectives
  • Give individuals more control over their health
    information
  • Set boundaries on the use and disclosure of their
    health information
  • Establish appropriate safeguards for all people
    who participate or are involved with the
    provision of health care to ensure they honor
    individuals rights to privacy of their PHI
  • Hold violators accountable through civil and
    criminal penalties

28
When is it Covered?
  • Let me count the ways
  • When you use it
  • When you disclose it
  • When you store it
  • When you see it on your computer
  • When it is lying on your desk
  • When you share it with another health care
    provider
  • When you share it with a contracted service
    provider
  • When you are talking about it face to face
  • When you are talking about it over the phone

29
What is Not Covered?
  • De-identified health information
  • Information that is de-identified is no longer
    considered to be protected health information,
    and is thus exempt from the other provisions of
    the Privacy HIPAA regulation

30
What is Not Covered? (Continued)
  • Means of de-identifying
  • Removal of certain identifiers (18 elements) -
    removal of the 18 elements doesnt mean the data
    is considered de-identified. There also must be
    no reasonable basis that the individual may no
    longer be identified.
  • Otherwise eliminating, concealing, or completely
    redacting

31
Minimum Necessary Standard
  • Who has access to PHI and the need-to-know
    principle
  • A covered entity must make reasonable efforts to
    limit the use or disclosure of, and requests for
    PHI to a minimum amount necessary to accomplish
    the intended purpose

32
Minimum Necessary Standard (Continued)
  • Does not apply if disclosure is needed
  • For treatment (except for s. 51.30 treatment
    record information)
  • Pursuant to a clients authorization
  • Disclosed to client (clients own information)
  • Health oversight activities
  • To HHS Secretary (federal)
  • As required by law

33
Minimum Necessary Standard (Continued)
  • When using, disclosing, or requesting Protected
    Health Information, make reasonable efforts to
    limit PHI to minimum necessary to accomplish
    the purpose
  • Do not disclose more than is necessary
  • Only share on a need to know basis, even within
    the Department
  • Can you de-identify the information and still
    accomplish the purpose?
  • Never send the entire medical record unless
    absolutely necessary

34
Uses Disclosures
35
Basic Rule
  • A Covered Entity may not use or disclose PHI in
    any form except as authorized by patient or as
    permitted by the regulations
  • Prior Rule State law generally governed the
    confidentiality of medical information
  • Preemption HIPAA now preempts state
    confidentiality laws unless state laws are
    stricter

36
Use vs. Disclosure
  • Use the sharing, employment, application,
    utilization, examination, or analysis of
    Protected Health Information (PHI) within the
    covered health care component that maintains the
    PHI
  • Disclosure the release, transfer, provision of
    access to, or divulging in any other manner of
    PHI outside the covered health care component
    holding the information

37
Uses and Disclosures for Treatment, Payment
Health Care Operations (TPO)
38
Treatment
  • Provision, coordination or management of health
    care and related services by a health care
    provider
  • Coordination and management of health care by a
    health care provider with a third party (e.g.,
    HMOs)
  • Consultations among health care providers
  • Referrals of patients from one health care
    provider to another

39
Payment
  • Activities by a health plan to obtain premiums or
    fulfill obligations for coverage and the
    provision of benefits (e.g., Medicaid
    eligibility)
  • Activities by either a provider or a health plan
    to obtain or provide reimbursement (e.g.,
    Medicaid payment of claims provider filing of
    claims)

40
Health Care Operations
  • Health care operations support treatment and
    payment activities
  • Limited to our operations
  • Examples of health care operations
  • Quality Improvement
  • Review provider qualifications performance
  • Medical review, legal audit services
  • Business planning development
  • Business management general administration

41
Other Permitted Uses Disclosures
  • Covered health care components may use or
    disclose PHI without a consent or authorization
    when the use or disclosure comes within one of
    the listed exceptions
  • Required by law
  • Activities involving public health
  • Adult abuse, neglect or domestic violence
  • Child abuse or neglect
  • Health oversight activities
  • Judicial and administrative proceedings (follow
    both state and HIPAA)

42
Other Permitted Uses Disclosures (Continued)
  • Law enforcement (follow both state and HIPAA)
  • Decedents
  • Organ transplants
  • Avert serious threat to health or safety
  • Other specialized government functions
  • Workers Compensation
  • Research purposes

43
When are Authorizations Needed?
  • For disclosures of PHI for specified purposes
    other than Treatment, Payment, or Health Care
    Operations that are not otherwise allowed under
    the regulations
  • For disclosures to third parties specified by the
    client
  • For medical research
  • For marketing by third party
  • To use or disclose psychotherapy notes (also
    required by Wis. Stat. 51.30)

44
Individual Privacy Rights
45
Client Rights Golden Rule
  • We should treat health information about others
    as we would want others to treat health
    information about us.
  • Privacy has always meant that health information
    must be kept confidential.

46
Individual Privacy Rights
  • Individuals (including you) have the right to
  • Request to access to their PHI
  • Request amendments to their PHI
  • Receive an accounting of disclosures of PHI
  • Request restrictions on who sees their PHI
  • Request confidential communications
  • Receive a Notice of Privacy Practices
  • File a complaint without fear of retaliation

47
Right to Access
  • Client has a right to inspect and copy own
    protected health information in a designated
    record set maintained by its covered entity and
    its business associates
  • Right lasts as long as covered entity maintains
    PHI

48
Designated Record Set
  • This is information used to make decisions about
    individuals. An individuals access to their PHI
    is limited to the PHI in the designated record
    set.
  • For Providers, this includes
  • Medical records
  • Billing records
  • For Health Plans, this includes
  • Enrollment, payment, and claims records
  • Check with your privacy officer for guidance
    on how to proceed with a request of an
    individuals access to their designated record
    set.

49
Denial of Access (With Opportunity to Review)
  • Denial of a clients access to his/her designated
    record set with opportunity for review when in
    the opinion of a licensed health care
    professional that
  • Information would endanger life or safety of
    patient or others
  • References to others is reasonably likely to
    cause substantial harm to that other person
  • Request was made by the clients personal
    representative and access would likely cause
    substantial harm to the client or others
  • Check with your supervisor or privacy officer if
    unsure how to handle a denial of access request.

50
Denial of Access (Without Opportunity for Review)
  • Denial of a clients access to his/her designated
    record set without opportunity for review
  • Psychotherapy notes (Wis. Stat. 51.30 more
    stringent)
  • Information compiled for civil, criminal or
    administrative actions
  • Inmate request that would jeopardize health or
    safety of inmate or others
  • Research that includes treatment
  • Information obtained from an anonymous source
    under a promise of confidentiality
  • Check with your supervisor or privacy officer if
    unsure how to handle a denial of access request.

51
Amendments to PHI
  • Clients have a right to amend any element of
    protected health information (PHI) in the
    designated record sets, for as long as that
    information is maintained by the covered entity
  • Entities are not obligated to amend if they
    determine that another entity was the creator of
    information at issue, unless the individual
    provides a reasonable basis to believe that the
    originator is no longer available to act on the
    request

52
Amendments to PHI (Continued)
  • In amending a record, the information at issue is
    not deleted. Additional notes are added to
    describe the amendment.
  • If an amendment is made, the covered entity must
    make a reasonable attempt to notify those with
    incorrect or incomplete information

53
Accounting of Disclosures
  • Covered entities must account per clients
    request, for each non-excepted disclosure made
    during the previous six years
  • Accounting must include
  • Disclosure date
  • Name and address of receiving person or entity
  • Brief description of information disclosed
  • The accounting must be provided within 60 days of
    request
  • Rights last as long as records as maintained

54
Accounting of Disclosures Excepted Disclosures
  • A covered entity need not document the following
    disclosures
  • For treatment, payment or health care operations
  • To individual
  • Prior to Privacy Rule compliance date 4/14/03
  • To law enforcement, correctional institutions or
    for national security
  • Common examples of accounting of disclosures
    requiring documentation
  • Public health
  • Inadvertent/inappropriate disclosure of PHI

55
Restrictions on PHI
  • A covered entity may permit a client to request
    restriction on use or disclosure for
  • Treatment, payment, or health care operations
  • To relatives or others involved in the care of
  • A covered entity is not required to agree, but if
    agrees
  • The covered entity must comply with restriction
    until expired

56
Confidential Communications
  • Clients right to confidential communications by
    alternative means or at alternative locations
  • Should a client be concerned about receiving
    information about their health treatment or
    payment at home, they have the right to request
    that they be contacted only in a specified manner
    such as
  • Being called only at work
  • Sending communications to another address

This request should be honored if there is any
indication that the disclosure of this
information could endanger the client.
57
Receive a Notice of Privacy Practices
  • We must provide a copy of our Notice of Privacy
    Practices to our clients
  • Providers at the time of the patients first
    visit
  • Health plan at the time of enrollment and every
    three years, beginning after the implementation
    of HIPAA in 2003 (e.g., 2006, 2009 and etc)
  • This notice describes the uses and disclosures of
    protected health information that may be made by
    the covered entity, and of the individuals
    rights and the covered entitys legal duties with
    respect to protected health information

58
Right to File a Complaint
  • Who may complain?
  • Individuals
  • Whistleblowers
  • Complain about what?
  • Privacy policies
  • Misuse of PHI
  • Denial of access to PHI or amendments to PHI

59
Right to File a Complaint (Continued)
  • Who do they complain to?
  • Covered entitys Department Privacy Officer
  • HHS Secretary (Office of Civil Rights - Federal)
  • No retaliation for complaints

60
Business Associate
61
Business Associate
  • Business Associate An individual or entity who
    on behalf of DHS
  • Performs or assists in performing functions or
    activities involving the use or disclosure of PHI
    or
  • Provides certain services to DHS which include
    use or disclosure of PHI by DHS
  • Activities must be related to treatment, payment
    or health care operations

62
Business Associate Relationship Tests
  • Performs function or activity on a covered
    entitys behalf that involves either creating or
    receiving PHI for or from a covered entity
  • Examples of functions includes consulting or
    administrative (or legal, actuarial, accounting,
    data aggregation, management or financial)
    services

63
Business Associate Obligations
  • Contracts with a Business Associate require that
    the Business Associate
  • Not use or further disclose PHI other than as
  • Permitted in the contract or
  • As required by law
  • Use appropriate security safeguards
  • Report any improper use or disclosure of which it
    becomes aware of to the covered entity
  • Ensure its agents (including subcontractors)
    agree to the same restrictions as in the contract
  • Make available to Federal HHS its internal
    practices and books relating to the use and
    disclosure of PHI.

64
Privacy Security Incidents
65
How Much is Enough? How Much is too Much?
  • There are three types of problem disclosures
  • Incidental
  • Accidental
  • Intentional

66
Incidental Disclosures
  • If reasonable steps are taken to safeguard a
    clients information and a visitor happens to
    overhear or see PHI that you are using, you will
    not be liable for that disclosure
  • Incidental disclosures are going to happeneven
    in the best of circumstances
  • An incidental disclosure is not a privacy
    incident. This is not an accountable disclosure.

67
Reasonable Safeguards to Avoid Incidental
Disclosures
  • Keep your voice low
  • Discuss in a private area as possible in the
    circumstances
  • Do not leave PHI or information where others can
    see or access them

68
Reasonable Safeguards to Avoid Incidental
Disclosures (Continued)
  • Cover papers and shield computer screens in
    public areas to make them secure as possible.
    Dont allow unauthorized individuals (i.e.,
    visitors, friends, or family members) to view
    your computer screen as you access PHI or other
    confidential information.
  • When using a computer, if you need to walk away,
    you should ALWAYS
  • Log off OR
  • Lock the computer screen (Ctrl-Alt-Del and select
    lock)

69
Reasonable Safeguards to Avoid Incidental
Disclosures (Continued)
  • Dont leave documents containing PHI unattended
    in fax machines, printers, or copiers
  • When disposing of confidential data, either shred
    or put in locked recycling bin for destruction

70
Accidental Disclosures
  • Mistakes happen. If you disclose PHI or
    confidential information to an unauthorized
    person or if you breach the security of
    confidential data
  • Acknowledge the mistake and notify your
    supervisor and the Privacy Officer immediately
  • Learn from the error, revise procedures to
    prevent from happening again
  • Assist in correcting the error only if you are
    instructed to. Dont cover up or try to make
    right by yourself
  • Accidental disclosures are Privacy Incidents and
    must be reported to your Privacy Officer
    immediately! This is an accountable disclosure.

71
Examples of Accidental Disclosures
  • Sending an email to the wrong person
  • Emails sent out externally are not secure unless
    encrypted or secured (more information on this
    later)
  • Sending a fax to the wrong number
  • Disclosing data to someone who didnt have the
    right to receive it
  • Sending information to the wrong address
  • Loss of a file containing confidential
    information

72
Intentional Disclosures
  • If you ignore the rules and carelessly or
    deliberately use or disclose protected health or
    confidential information, you can expect
  • DHS disciplinary action
  • Civil and/or criminal charges
  • If youre not sure about a use or disclosure,
    check with your supervisor or the Privacy Officer.

73
Examples of Intentional Violations
  • Improper use of passwords sharing, posting or
    distributing personal password or account access
    information
  • Allowing a co-worker to log-on with your password
    because it provides access to more or different
    security levels your co-worker doesnt have
  • Attempting to learn or use another persons
    access information

74
Examples of Intentional Violations (Continued)
  • Discussing PHI or confidential information in a
    public area or elevator
  • Selling health or personal information or
    inappropriately providing to the news media
  • Accessing information that you do not have a
    need to know for your job because of personal
    curiosity or as a favor to someone else

75
When to Report Privacy Security Violations?
  • All accidental and intentional violations, known
    and suspected, must be reported immediately to
    your supervisor and privacy officer!
  • So they can be investigated and managed
  • So they can be prevented from happening again in
    the future
  • So damages can be kept to a minimum
  • To minimize your personal risk
  • Incidental disclosures need not be reported,
    but if youre not sure, report anyway.

76
When to Report Privacy Security Violations?
(Continued)
  • In some instances, management may have to notify
    affected parties of lost, stolen, or compromised
    data. If you learn of inappropriate disclosures
  • Immediately notify your supervisor and your
    division Privacy Officer!

77
DHS Sanctions for Privacy and Information
Security Violations
  • DHS considers it a serious incident anytime a
    privacy or security violation occurs
  • HIPAA requires that we monitor information system
    activity which assists in identifying violations
    and that we document all incidents
  • Disciplinary/corrective action ranges from
    training/counseling to termination

78
Imposing Compliance
  • General Civil Penalty for Failure to Comply
  • 100 per person per violation
  • 25,000 fine per year for multiple violations
  • Not to exceed 25,000 in one calendar year
  • YOU can be personally liable

79
Imposing Compliance
  • Criminal Penalties (Privacy) - Person who
    knowingly and wrongfully discloses individually
    identifiable health information is subject to
    fines and imprisonment
  • Simple offense - Up to 50,000 /or 1 year
    imprisonment
  • If committed under false pretenses - Up to
    100,000 /or 5 years imprisonment
  • If committed with intent to sell, transfer, or
    use Individual Identifiable Health Information
    for commercial advantage, personal gain, or
    malicious harm - Up to 250,000 /or 10 years
    imprisonment
  • Again, YOU can be personally liable

80
Enforcement Agency
  • Federal Department of Health and Human Services
    (Office of Civil Rights) will
  • Investigate complaints
  • Enforce compliance
  • Impose civil monetary penalties
  • Department of Justice will
  • Enforce criminal penalties
  • Center for Medicare and Medicaid (CMS) will
  • Oversee compliance with the Security Rule,
    Transaction Code Sets and Identifiers

81
Safeguarding PHI/Confidential Information is
Everyones Responsibility
  • Protect it at all times
  • Do not share it with anyone unless there is a
    need to know or is needed to accomplish your job
  • Constantly monitor your actions If I do this,
    will I increase the risk of unauthorized access?
  • Only access the minimum amount of PHI needed to
    do your job

82
What Can You Do to Safeguard Confidential
Information?
  • Take all reasonable precautions to safeguard
    confidential information including
  • Protecting your passwords
  • Using strong passwords
  • Practicing good email security do not send
    emails containing confidential information
    without protecting
  • Preventing viruses
  • Storing media securely
  • Disposal of confidential paper and media in a
    secure manner
  • Practicing good workstation etiquette

83
Protect Your Passwords
  • You are responsible for actions taken under your
    user id and passwords
  • The Post-It Note can undo the most elaborate
    security measures. Do not post, write or share
    your password with anyone!
  • Protect your user id/password from fraudulent
    use, unethical behavior or irresponsible actions
    by others. In other words, dont let someone be
    you and use your user id/password for illegal
    purposes.

84
Passwords Guidance
  • Guidelines for good passwords
  • Six to eight characters or more
  • Minimum of two alpha and one numeric, use of
    special characters is allowed
  • Use upper and lower case
  • Memorize your password (do not write down on
    paper and post near your computer)

TIP Use a pass-phrase to help you remember
your password such as MbcFi2yo (My brown cat,
Fluffy, is two years old).
85
Email Security
  • Email sent over the Internet is unencrypted and
    not secure. Note Email sent to other DHS email
    addresses is permitted but minimize amount of
    confidential information sent.
  • Do not include confidential information in an
    email message unless it is encrypted. Unsure how
    to do this, contact your Security Officer.
  • Confidential information can be sent in a
    password-protected Word document, attached to a
    message
  • Use Tools, Options, Save and enter a Password to
    Save (Strong password!)
  • Share password via phone or other means

86
Email Security (Continued)
  • Confirm recipients addresses when sending
    confidential information to avoid misdirected
    emails DOUBLE-CHECK before sending!
  • Include Confidentiality Statement in signature
    block on every email message
  • Do not use non-DHS email systems (Yahoo, AOL,
    Hotmail) to send confidential information! Again,
    any confidential information should be protected,
    such as with a password or encryption, if email
    is being used.

87
Viruses
  • Certain types of viruses and/or malware can
    compromise confidential information or threaten
    the security of such information, often for
    financial gain
  • Viruses are becoming more lethal and
    sophisticated
  • Never open an email attachment unless you know
    who sent it to you and why. If in doubt, contact
    the sender of the email and confirm that the
    attachment is safe and valid.
  • Do not download files or screensavers

88
Media Storage Disposal
  • Store confidential information on network drives,
    not your local hard drive
  • Store files/backups containing PHI on portable
    media (disks, tapes) in a locked cabinet or room
  • Wipe information on disks or destroy them before
    discarding or recycling
  • Deleting does not completely erase data
  • Call your Security Officer for assistance if
    unsure how to secure your devices

89
Disposal of Paper Containing Confidential
Information
  • Client or confidential information stored on
    paper or computer diskettes should never be
    thrown into an open trash can, BECAUSE, no one
    knows who might end up seeing it once it leaves
    the building
  • When discarding paper client or confidential
    information, make sure the information is put in
    the secure bin (in your area) to be destroyed
    later

90
Workstation Security
  • Block screen from view of passers-by
  • Log-off before leaving a workstation unattended
    this will prevent others from accessing ePHI
    under your user-id and limit access by
    unauthorized users (control-alt-del, select
    lock)
  • Secure (lock up) portable devices (laptops,
    PDAs). Do not leave unattended!
  • Secure workstations and portable devices when
    outside of normal work areas. This is
    particularly important in public areas and for
    telecommuters.

91
Bottom Line
  • Consider the clients perspective and give them
    control over how their information is used. How
    would you feel if it were your information?
  • Avoid situations in which the client would object
    to how their information was used or shared
  • Implement appropriate security measures to
    maintain the integrity of client data, ensure its
    availability, and keep it confidential
  • Be familiar with DHS privacy information
    security policies (http//dhfsweb/security/)

92
DHS Contacts for Questions on HIPAA
  • CAPS Team
  • DHFSRESCAPS
  • Department Privacy Officer
  • Department Security Officer
  • Section/Division Contacts
  • http//dhfsweb/security/

93
Table of Contents
Why are You Taking this Training? .. 2
DHS Commitment on Privacy . 5
What is HIPAA? ... 6
State Confidentiality Laws .. 8
Summary of State Confidentiality Laws. 10
What Does Wis. Stat. 146.82 Cover? 11
What Does Wis. Stat. 51.30 and HFS 92 Cover? 12
What Does Wis. Stat. 252.15 Cover? 12
2008 State Confidentiality Law Changes . 14
Why Comply with HIPAA and State Confidentiality Laws? 17
94
Table of Contents (Continued)
Terms You Should Know . 18
Covered Entity 19
Hybrid Entity 20
Health Care Component .. 21
What is DHS Responsibility as a Hybrid Entity? . 22
Who is Covered in DHS? . 23
What is Protected Health Information? .. 25
Individually Identifiable Information 26
Privacy Rule Objectives 27
When is it Covered? .. 28
95
Table of Contents (Continued)
When is it Not Covered? . 29
Minimum Necessary Standard 31
Uses Disclosures Basic Rule .. 35
Uses vs. Disclosures 36
Uses Disclosures Treatment 38
Uses Disclosures Payment .. 39
Uses Disclosures Health Care Operations 40
Other Permitted Uses Disclosures . 41
When are Authorizations Needed? 43
Individual Privacy Rights Client Rights Golden Rule .. 45
96
Table of Contents (Continued)
Individuals Privacy Rights 46
Right to Access . 47
Designated Record Set 48
Denial of Access (With Opportunity to Review) ... 49
Denial of Access (Without Opportunity to Review) .. 50
Amendments to PHI .. 51
Accounting of Disclosures 53
Restrictions on PHI 55
Confidential Communications .. 56
Receive a Notice of Privacy Practices 57
97
Table of Contents (Continued)
Right to File a Complaint 58
Business Associate . 61
Business Associate Obligations . 63
Privacy Security Incidents - Three Types of Problem Disclosures 65
Incidental Disclosures 66
Reasonable Safeguards to Avoid Incidental Disclosures . 67
Accidental Disclosures 70
Examples of Accidental Disclosures . 71
Intentional Disclosures . 72

98
Table of Contents (Continued)
Examples of Intentional Violations .. 73
When to Report Privacy Security Violations? ... 75
DHS Sanctions for Privacy Security Violations . 77
Imposing Compliance ... 78
Enforcement Agency . 80
Safeguarding PHI .. 81
What Can You Do to Safeguard PHI? 82
Protect Your Passwords .. 83
Passwords Guidance 84
Email Security 85
99
Table of Contents (Continued)
Viruses 87
Media Storage Disposal 88
Disposal of Paper .. 89
Workstation Security . 90
Bottom Line Summary .. 91
DHS Contacts .. 92
Table of Contents .. 93

100
Resources
  • http//www.hhs.gov/ocr/hipaa/
  • http//www.cms.hhs.gov/home/regsguidance.asp
  • http//dhfsweb/security/

101
Thank You!
  • This concludes the HIPAA Basics module of the
    course.
  • Please Click Here to complete the User
    Information Report, otherwise our records will
    not reflect the completion of this training for
    you.
  • You will need to do this to get credit for
    taking the training. Thank you. Note After
    clicking on above link, a Security Information
    window will display, select Yes to proceed.
Write a Comment
User Comments (0)
About PowerShow.com