Compliance & HIPAA 2017 Annual Education - Aultman · Compliance & HIPAA 2017 Annual Education 1...
Transcript of Compliance & HIPAA 2017 Annual Education - Aultman · Compliance & HIPAA 2017 Annual Education 1...
Compliance & HIPAA2017 Annual Education
1
The purpose of this education is to UPDATE and REFRESH understanding of:
The purpose of this education is to UPDATE and REFRESH your understanding
of:
Aultman’s Compliance Program.
The HIPAA rules and PROTECTING OUR PATIENT’S confidential information.
2
3
Aultman’s Compliance Program
The Aultman Compliance Program includes SEVEN CORE ELEMENTS as required by the government.
Written policies and procedures and standards of conduct.
A Compliance Officer that is accountable and responsible for the program.
Effective education and training.
Lines of communication for reporting compliance concerns.
Disciplinary action for non-compliance.
Routine auditing and monitoring to identify risks.
Procedures for responding promptly to non-compliance and undertaking corrective action.
The 7 elements of an effective Compliance Program are…
4
So… what does the Compliance Department at Aultman actually do?
Demonstrates a good faith effort to comply with federal, state, and local regulations.
Establishes procedures to prevent, detect, and correct non-compliance.
PROTECT our organization, workforce members, and customers.
Preserve the level of INTEGRITY that Aultman is known for as a highly reliable organization.
Promote the continued effort to DO THE RIGHT THING.
Provides a method for employees to report potential problems.
Serves as a resource to resolve compliance issues.
But wait!THERE’S MORE…
Aultman’s Compliance Department strives to…
What is expected of me?
5
Follow Aultman’s Code of Conduct.
Carry out your job duties with INTEGRITY and HONESTY.
Know the laws and regulations that apply to your job.
Exercise good judgment and do the right thing when performing your job.
Report suspected compliance concerns orproblems to the Compliance Department.
Fraud, Waste, and Abuse (FWA)
Fraud, Waste, and Abuse can occur in many different formats.
For example...Billing for services not furnished or that are medically unnecessary could be considered FWA.
An estimated 10% of Medicare costs are wrongly spent on fraud, waste, and abuse.
The government is devoting substantial resources to prevent and
detect FWA.
If you have a concern or
question about how things are being done, it is important that you report your
concern.
Additional information regarding FWA, and the False Claims Act, can be found in the Aultman Employee Handbook or CMS’s Fraud & Abuse: Prevention, Detection, and Reporting Fact Sheet.
6
How do I report a Compliance Concern?Discuss concerns with your manager or another member of the management team.
Contact the Compliance Department at (330) 363-3380 or Ext. 33380 or [email protected].
Report anonymously by calling the Aultman Compliance Line at 1 (866) 907-6901 or online at https://www.aultman.org/complianceline.
Employees reporting in good faith will not be subject to retaliation.
I have a concern…
7
What is HIPAA?
HIPAA is a federal law which:
Regulates and sets standards for protecting patient privacy andconfidentiality of Protected Health Information (PHI).
Describes how we may use and disclose health information.
Expands patient’s rights regarding their health information.
Includes penalties for privacy violations.
8
Any and all health information that could identify a particular person.
Protected Health Information (PHI) :
Name & address, age, date of birth, social security number, clinical information, test results, diagnosis, photos, employer.
Breach:
May require notification of patient and government.
PHI can be shared without patient authorization for:
When someone obtains, views, or discloses PHI inappropriately.
Treatment – anyone who has a treatment relationship with the patient.
Payment – for billing and collection activities.
Healthcare Operations – business activities, including quality improvement and teaching.
Report any potential breaches to the Compliance Department.
9
Why is Patient Privacy Important?
Patients place TRUST in us to protect their most private information.
If patients don’t trust us with their private information…
They may be reluctant to disclose important information that is vital to their care.
Our community reputation could be damaged.
Not only do we have a legal duty to protect patient health information, we have an ETHICAL and MORAL
obligation, as well.
They may go elsewhere to receive treatment.
10
What can I tell my patient’s friends and family?
Obtain patient approval before sharing PHI.
Oral or written approval is acceptable.
Document it in the medical record.
Use the Privacy Communication tab in Cerner or paper form.
Patient may change his/her mind at any time.
Use professional judgment when patient is unconscious
or incapacitated.
Utilize the Minimum Necessary Standard.
Family & friends should be actively involved in care in order to receive PHI.
When in doubt, do not disclose information!
Remember, you can consult your manager or Compliance for guidance.
11
Mobile DevicesMobile devices such as
laptops, tablets, smartphones, and USB
flash drives that contain confidential Aultman information must be
password protected and encrypted, when
possible.
Texting of patient information should only be performed with Aultman approved applications that are secure and encrypted.
The Joint Commission prohibits the texting of patient care orders.
12
Audits
HIPAA rules require that all our electronic systems have the capability to produce an audit trail.
This allows us to:
Investigate any patient complaint regarding HIPAA.
Run specialized reports that can show, for example, if a user accessed a co-worker’s medical record.
13
See who has accessed patient records and when.
Conduct random audits of employee access.
Did you know?Snooping into electronic medical records is the most
common type of HIPAA violation at Aultman.
Aultman policies DO NOT PERMIT workforce members to look up their own
medical information, or that of family, friends, co-workers, or patients of
interest.
Sn ping
This applies to all forms of medical
information
14
They’re my records… why can’t I have access?
When receiving health care services, employees are like any other patient.
As a patient, an employee may obtain a copy of their health care information (or the records of family members) by completing the release of information process in the Medical Records Department.
A signed Authorization Form does not permit workforce members to directly access anyone’s information via Aultman’s various electronic systems.
Aultman’s Patient Portal is also available and allows patients direct access to their health information. If you still need to sign-up for the Patient Portal,
please contact the Registration Department.
15
What’s the big deal?
The reason for these restrictions is the HIPAA Minimum Necessary Standard, also known as “the need to know rule.”
Under this HIPAA standard, you are only permitted to access information you need to do your job and disclose only information to others to do their
job.
Looking up your own information or the
information of a family member does NOT meet
this standard!
The HIPAA rules require health care organizations to have consistent disciplinary actions in place for employees who violate HIPAA. At Aultman, disciplinary actions for HIPAA violations have ranged from suspensions to terminations.
Aultman’s disciplinary process is outlined in the Employee Handbook. 16
Social media websites are a great tool for sharing all kinds of information,
BUT NEVER
for sharing any kind of patient information, even in general terms!
Remember that any information and images you post online could remain there forever and might be redistributed, shared, commented upon, and accessed by anyone, including your family, friends, or employers (even many years later).
THINK….before
you post!
18
Computer & Email Security
Log off or lock your computer when leaving your workstation.
To lock your screen press:
EmailAll emails sent to another Aultman email are secure.
Emails sent externally that contain Protected Health Information MUST be encrypted.
Type [SECURE] anywhere in the subject line to
encrypt an email.
User IDs and Passwords
Everyone must have a unique user ID and password and they are responsible for all activity that occurs under that combination.
Mandatory password changes are required a minimum of every 90 days.
Passwords should be strong to increase security.[Secure]
19
Phishing attacks are typically carried out through the use of emails that appear to be sent from a legitimate source.
Recipients of these emails are directed to click on links that send them to websites designed to obtain sensitive information or install malicious software ontotheir device.
Phishing Schemes
20
How to spot a phishing email
Spelling and bad grammar
If you notice mistakes in an email, it may be malicious.
The hyperlinked URL is differentHover your mouse over the address in the “from” field to see if the website domain matches that of the site the email should have originated from.
Call to action
Often they will trick youinto clicking on a link to reactivate your account or to remove a hold. Don’t click on the link, but instead log onto your account in question directly through their website.
You Won!!
A common scam is to send an email that says you won a prize for a contest you never
entered. Requesting personal information
Reputable organizations will not ask for personal information in an email.
Make a donationUnfortunately, phishing emails might ask for a donation to a legitimate cause, such as the American Red Cross. To be safe, contact organizations directly to make donations.
21
Ransomware
A type of malicious software designed to block access to a computer system until a sum of money is paid.
Installed through email attachments, infected downloads, or visiting malicious websites or links.
Only open attachments, install downloads, orvisit websites from known and trusted sources.
H E A LT H C A R E
22
If you feel you have fallen victim to
ransomware or a phishing scheme,
please contact our IT Security Department
IMMEDIATELY at:
23
There are resources available to learn more about the HIPAA
Privacy and Security Regulations
This is a document we are required to give all patients. It summarizes our policies
and procedures in regards to the requirements of HIPAA.
This is our internal system that contains all of Aultman’s HIPAA Privacy and Security policies and procedures.
Can be accessed through the employee portal under “Resources” then “Policies & Procedures”.
24
Notice of Privacy Practices (NPP)
PolicyTech
Issues we’ve seen at Aultman
Random audit revealed an employee accessed their co-worker’s records.
A group of employees posed for a picture while at work that was posted tosocial media. Patient PHI was visible on the computer behind them. Employees
were receiving harassing phone
calls from a patient’s family demanding
protected information.Guidance was
provided to the staff.
A patient was sent home with
another patient’s discharge
instructions or clinical summary.
Lab report was faxed to the wrong
physician office. A family member found a nurse’s report paper with patient PHI on the ground in the hallway.
25
A department requested guidance on proper storage of PHI in their offices.
Questions?Kelly Martinelli Aultman Medical Group Compliance Officer
Ext. 46493 or (330) 433-1493 [email protected]
Valerie Waldorff Aultman Orrville Hospital Compliance Liaison Ext. 35425 or (330) 363-5425 [email protected]
Karen Wulff Integrated Health Collaborative Compliance & Privacy Officer Ext. 33115 or (330) 363-3115 [email protected]
Direct questions regarding Systems and Technology Security to:
Barbara McGill – HIPAA IT Security Officer/AnalystExt. 39784 or (330) 363-9784; [email protected]
Tim Regula Chief Compliance and Privacy Officer
Ext. 37448 or (330) 363-7448
Compliance Department Ext. 33380 or [email protected]
26
[email protected] submit a Help Desk Ticket via the Employee Portal.
HIPAA regulations require Aultman to provide on-going
compliance education for all employees and other members of
the Aultman workforce. We have created a post-test to
demonstrate your understanding of the information provided in
this education. Every employee must complete the post-test and
answer 80% of the questions correctly.
Please proceed to the post-test now.
27
Tan
a R
od
gers
BSN
, RN
20
17