HIPAA Field Training 2015hipaa.corizonhealth.com › docs ›...

HIPAA – Field Training 2015

Topic 1

Time to complete Topic 1

Overview

Approximately 15 minutes

Introduction/ObjectivesAt the conclusion of this training module, you should have an understanding of the following:

What constitutes Protected Health Information (PHI);

The HIPAA Privacy and Security Rules and how each affects Employees in the workplace;

Corizon Health’s Privacy and Security Policies and Procedures and how these should be made available to all employees;

The General Rules for the use and/or disclosure of PHI;

The appropriate method for identifying and reporting Privacy and/or Security Violations and/or Incidents;

© Corizon Health, Inc. All information and photos are confidential and proprietary. All rights reserved.3

Introduction/Objectives (continued)At the conclusion of this training module, you should have an understanding of the following:

Each Employee’s responsibility in terms of Privacy and Security surrounding PHI in the workplace; and

A patient’s right surrounding his or her PHI and the role Employees have in exercising and/or preserving these rights

Business Associates and the role and requirements surrounding each

The HITECH Act and the Final Omnibus Rule (2013)

Enforcement measures that are available in the absence of compliance


Top HIPAA Breaches in 2014

#1: Community Health System

• 4.5 million individuals affected

• Overseas hackers managed to bypass cybersecurity measures and obtained access to patient records, including names, addresses, dates of birth, telephone numbers and social security numbers.

#2: Xerox State Healthcare, LLC

• 2 million individual affected

• Business associate to the Texas HHS Commission that failed to protect patient records and permitted other parties access to the protected information

#3: Sutherland Healthcare Solutions, Inc.

• 342,197 individuals affected

• Eight laptops stolen from the office that were not appropriately encrypted. Computers held patient data, including names, addresses and billing information


HIPAA Terms


HIPAA Terms

Breach The acquisition, access, use, or disclosure of protected

health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information

HIPAA Term: Business Associate

A person or entity, other than an Employee or other member of the workforce of the Company, which performs, or assists in the performance of, a function or activity on behalf of Corizon Health or a Corizon Health Business Associate involving the use and/or disclosure of individually identifiable health information. Such functions or activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and repricing. Business associates also include any providers of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to Corizon Health or a Business Associate thereof, where the provision of such services involves the disclosure or use of individually identifiable health information.


HIPAA Terms


Business Associate Agreement

• Agreement between the Company and a Business Associate, pursuant to which the Business Associate agrees to provide certain protections of PHI received by or created on behalf of the Company.

Corizon Health

• Corizon Health, Inc., Corizon, LLC, and their affiliated entities.

Designated Record Set

• Please refer to your Corizon Health Privacy Policies for specific information on the Designated Record Set.

HIPAA Terms


Disclosure Log

• Record maintained by Corizon Health of all disclosures of PHI as required to be maintained pursuant to Privacy and Security Policies and Procedures.

Employee

• Any person whose conduct, in the performance of work for Corizon Health, is under the direct control of Corizon Health, whether or not such person is paid by Corizon Health and whose duties bring such person in contact with PHI. For the purpose of these Privacy and Security Policies and Procedures, the term “Employee” includes, but is not limited to, customer service representatives, any administrative personnel, and any personnel under Corizon Health‘s control who deliver health care services or items to inmates in correctional institutions.

HIPAA Terms


Final Omnibus Rule

• The final rule announced by U.S. Dept. of Health and Human Services which implements a number of provisions of the HITECH ACT, effective March 26, 2013 with a compliance date of September 26, 2013.

HIPAA Terms


Health Care Operations

• Administrative and managerial activities of Corizon Health including quality assessment and improvement activities, legal compliance activities, business planning and development activities, and other business management and general administrative activities.

Health Oversight Activity

• Activities by a Health Oversight Agency for the purpose of oversight of the healthcare system (whether public or private, or government programs) in which health information is necessary to determine eligibility or compliance, or to enforce civil rights for which health information is relevant.

HIPAA Terms


Health Oversight Agency

• An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority or contract with such public agency, that is authorized by law to conduct Health Oversight Activities.

HIPAA

• The Health Insurance Portability and Accountability Act of 1996, commonly referred to as “HIPAA”, is a federal law which created a national standard for the privacy and security of protected health information (“PHI”).

HIPAA Terms


HITECH Act

• Health Information Technology for Economic and Clinical Health Act

Individually Identified Health Information

• Health information which relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

HIPAA Terms


Patients and Personal Reps

• The term “patient” may also include the patient's legally designated "personal representative". A personal representative is any of the following [see 45 C.F.R. § 164.502(g)]: A conservator of the person of an incompetent patient; an agent appointed under a power of attorney for health care, if the patient is incompetent; any other person who can make health care decisions on behalf of an incompetent patient; A personal representative (i.e., the executor or administrator) of the estate of a deceased patient or any heir or beneficiary of a deceased patient; parents of minor children; or emancipated minors.

HIPAA Terms


Professional Corporation (PC)

• A corporate entity established and solely owned by physician shareholders.

HIPAA Terms

Protected Health Information (PHI) Health information which relates to: (i) the past,

present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

PHI includes not only medical records, but all other forms or documents that contain individually identifiable information, including but not limited health service request forms, medication administration records, sick call requests, daily clinic logs, etc.

HIPAA Terms


Privacy Officer

• The person who is responsible for the development and implementation of these Privacy and Security Policies and Procedures, and overseeing the Company’s compliance with the requirements of the Privacy Rules.

Privacy Rules

• Regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) at Title 45, parts 160, 162 and 164 of the Code of Federal Regulations, pertaining to the privacy of health information.

HIPAA Terms


Privacy and Security Policies and Procedures

• The policies and procedures contained herein, which have been adopted by the Company as part of its efforts to comply with the Privacy and Security Rules.

Public Health Activity

• The activities of a public health authority for the purpose of preventing or controlling disease, injury or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions.

HIPAA Terms


Security Officer

• The person who is responsible for the development and implementation of Security Policies and Procedures, and overseeing the Company’s compliance with the requirements of the Security Rule.

HIPAA Terms

Unsecured PHI Protected health information that is not rendered

unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary

Who are the Corizon Health Super Users?


Who are the Super Users for our companies?

• All HSAs/Program Managers/DONs/AAs

• Regional Office Designees

• Professional Corporation (PC) Shareholders

Who will the Super Users be training?

• All Site Level Employees

• PC Employees

Who are the Corizon Health Super Users?


What is the Super User role?

• HIPAA Training Facilitator

• Initial contact person at the site level for HIPAA related issues

Note: In the event that you have a question concerningthis training module or HIPAA, please contact your siteSuper User or the Privacy Officer.

Why is training important?


There are many reasons why training is important.

Training

• Training enables Employees to develop the knowledge and skills set necessary to perform the essential functions of their job in compliance with the law.

Advantage

• Effective training affords Corizon Health a competitive advantage in the correctional healthcare market.

Why is training important?


Career

• Training advances an Employee’s career and sense of feeling valued by Corizon Health.

OJT

• “On the job training” is an investment in Corizon Health’s future as Employees will share this knowledge with other Employees (current and new hires) in performing the essential functions of their job.

Training Compliance


To begin, you will need to complete this course by completing all of the Topics. After you review the 5 topics, you may take the quiz. We’ve estimated your total time to complete this course, including the Quiz, is about 70 minutes.

Topic Title Topic # Time to Complete

Overview 1 15 Minutes

Privacy Rule 2 15 Minutes

Security Rule 3 10 Minutes

Reporting and Enforcement 4 10 Minutes

Scenarios 5 10 Minutes

Review Quiz Quiz 10 Minutes

Total Time to Complete: 70 Minutes

Training Compliance


At the end of this training, you will need to take a short quiz and answer all ten (10) questions correctly. In the event you do not answer all ten (10) questions correctly, you are required to retake the quiz. The Super User at each site shall ensure that each Employee takes the Quiz until he/she attains a score of 100%.

What is HIPAA?


The Health Insurance Portability and Accountability Act of 1996, commonly referred to as “HIPAA”, is a federal law which created a national standard for the privacy and security of Protected Health Information (“PHI”).

In learning about HIPAA, it is important to recognize that this legislation was enacted with two broad interests in mind:

• Privacy

• Security

What is HIPAA?


In this course, we will first learn about the privacy component of HIPAA more precisely referred to as the HIPAA Privacy Rule.

Generally speaking, the HIPAA Privacy Rule was enacted to encompass the following items:

• Individual rights;

• Instructions on how to exercise those individual rights; and

• Uses and/or disclosures of PHI which must be authorized by the individual (patient) or are required by law.

What is HIPAA?


After we conclude our discussion of the Privacy Rule, we will redirect our attention to the Security Rule which mandates the administrative, physical, and technical safeguards necessary to protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”).

What is Protected Health Information?


HIPAA’s Privacy and Security Rules only apply to PHI, which is commonly referred to as “PHI”. Therefore, in order for Employees to understand the important aspects of HIPAA, it is critical to know what PHI is.

PHI is defined as individually identified health information that is transmitted or maintained in electronic, written, oral, and/or any other recorded form or medium.

What is Protected Health Information?


Individually identifiable health information is:

• Information that identifies an individual;

• Information created or received by Corizon Health; and

• Information that relates to the past, present or future physical or mental health condition of the individual.

What is PHI?


Some common examples of PHI include:

• Patient medical records

• Prescriptions

• Billing information

• Patient insurance forms

• Patient charts

PHI does NOT include:

• Employment records held by a Covered Entity in its role as an employer

• Educational records

How does HIPAA apply to Corizon?


HIPAA only applies to “Covered Entities”, which include health plans, health care clearinghouses and health care providers who use PHI in connection with certain electronic transactions (such as payments or claims attachments).

How does HIPAA apply to Corizon?


Under HIPAA, a health care provider is defined as an entity that

furnishes medical services.

Because Corizon Health provides medical services to inmates of

correctional facilities across the United States, Corizon Health is

considered a health care provider.

As a health care provider, Corizon Health transmits

electronic PHI for purposes of certain transactions which results

in Corizon Health being classified as a “Covered Entity” for

purposes of HIPAA.

Topic 1 – Overview – Conclusion


Great job, Topic 1 is complete.









Topic 2


Privacy Rule


Objectives

At the end of this Topic, the learner will have a good understanding of:

• The general rules for the use and disclosure of PHI;

• An individual’s right to access his or her own PHI;

• How to adequately protect an individual’s PHI from inappropriate use or disclosure;

• Documenting “non-routine” disclosures of PHI; and

• The reporting of any improper uses or disclosures of PHI to the appropriate personnel so that any harmful effects can be mitigated.


General Rules for the Use and Disclosure of PHI

The HIPAA Privacy Rule generally requires Corizon Health to take reasonable steps to limit the use and disclosure of PHI to the minimum amount necessary to accomplish this purpose.

The Employee shall make a reasonable effort to use and or disclose only the amount of PHI which is required to perform the essential job functions.

It is important to remember that the “Minimum Necessary Standard” does not apply to all uses and disclosures of PHI.


Exceptions to the “Minimum Necessary Standard”

The Minimum Necessary Standard DOES NOT apply to the following uses and disclosures of PHI:

Uses and disclosures of PHI for treatment purposes (e.g. from one health care provider to another)

Uses and disclosures of PHI to the individual who is the subject of the PHI

Uses and disclosures of PHI pursuant to a valid HIPAA compliant written authorization

Uses and disclosures of PHI that are required by law


“Minimum Necessary Standard” – Example 1

A patient at the Jail has requested that a copy of his entire medical record be provided to his attorney. He has a presented a signed, validly executed authorization for release of his records.

Does the “Minimum Necessary Standard” apply here?

Correct Answer: No, the patient has signed an Authorization allowing his entire record to be sent to his Attorney. The Minimum Necessary Rule does not apply.The entire record must be provided to the patient’s attorney.


YES NO


Patient is being sent off-site to the hospital for a surgical procedure. The surgeon at the hospital calls to speak to the treating physician at the correctional facility about the Patient’s care and upcoming procedure.


Correct Answer:No, the “Minimum Necessary Standard” does NOT apply to uses and disclosures ofPHI for the purpose of treatment.


YES NO


Nurse Nancy makes a serious documentation error in aPatient’s chart. Her supervisor works with the HR Department to determine whether corrective action is warranted. The HR Department requests a copy of the medical record as part of its investigation.


Correct Answer:Yes, the Supervisor should only provide the relevant pages of the medical record to the HR department with the patient’s name redacted. The HR Department does not need to know the patient’s name or see the entire record in order to complete its investigation.


YES NO


Several inmates at the correctional facility have been diagnosed with and are being treated for a communicable disease. The local health department is on-site at the correctional facility to investigate and help mitigate a possible outbreak.

Should the Medical Staff apply the “Minimum Necessary Standard” when speaking with the Health Department?

Correct Answer:No, this disclosure is required by law so the “Minimum Necessary Standard” would NOT apply. The Health Department will need all information related to the patients with the communicable disease in order to adequately and effectively treat and prevent the spread of the disease.


YES NO

The HIPAA Privacy Rule requires Employees to obtain a HIPAA compliant written patient authorization prior to using and/or disclosing PHI for certain purposes.

Some examples of uses and/or disclosures of PHI that require a HIPAA compliant patient authorization are:

• Disclosure of PHI to the patient’s family or friends in cases where the friend or family member is NOT the patient’s personal representative

• Disclosure of PHI to the media

• Disclosure of PHI to the patient’s attorney.

Employees can obtain Corizon’s standard HIPAA compliant patient

authorization online at http://hipaa.corizonhealth.com or from theSuper User at your respective site.

45

When is a Written Authorization Required?

http://hipaa.corizonhealth.com/

When a Written Authorization is NOT Required

Employees are NOT required to obtain a HIPAA compliant written authorization prior to using and/or disclosing PHI in the following circumstances:

Uses or disclosures of PHI for treatment purposes (providing healthcare services or items)

Uses or disclosures of PHI for payment purposes(submitting and receiving claims, making and receiving payment for services)

Uses or disclosures of PHI for health care operational purposes (quality improvement activities, credentialing, utilization review, training programs, accreditation activities, insurance rating)


When a Written Authorization is NOT Required(Continued)

Uses or disclosures of PHI to a correctional facility or officer to assist the facility in providing the patient with health care, protecting the health or safety of the patient or others, or for the safety or security of the correctional facility

Uses or disclosures of PHI to avert serious threat to health or safety (threat to the patient, public, or other individuals)

Uses or disclosures of PHI for law enforcement purposes(information related to the commission of a crime on the premises or against health care personnel)


When a Written Authorization is NOT Required(Continued)

Uses or disclosures of PHI to a Corizon Health Business Associate that has signed a Business Associate Agreement

Uses or disclosures of PHI for public health activities as required by law for the purpose of preventing or controlling disease, injury or disability

Uses or disclosures of PHI for judicial, legal, or administrativeproceedings (e.g. Court orders and subpoenas)


KEY ELEMENT OF INSTRUCTION:It is important that Employees understand that Corizon Health is the custodian of the PHI in its possession and the Client is the owner. For this reason, Employees must not impede the Client’s ability to access its own PHI so long as such use and disclosure complies with the correctional facilities/officer exception listed above.

What is required of a Business Associate?


The HIPAA Privacy Rule requires Covered Entities such as Corizon Health to enter into a Business Associate Agreement (“BAA”) with any third party individual or entity that is determined to be a “Business Associate” of the Company (“BA”). Upon entering into a BAA with Corizon Health, a BA is then obligated to comply with certain requirements under the Privacy and Security Rules, including agreeing to the use and/or disclosure of PHI only as permitted under the BAA and to maintain the appropriate security safeguards so as to prevent the unauthorized access, use, and/or disclosure of PHI.

Business Associate Contracting Process

It is important to remember that Corizon Health may not share PHI (the use and/or disclosure) with a BA until a BAA has been executed between the parties.

If you wish to engage a BA, you need to contact the Privacy Officer and they will assist you with the process of drafting and executing the agreement.

Corizon Health is required to maintain copies of any fully executed BAAs in the event they are requested by the government. Therefore, it is imperative that the Privacy Officer be involved in the contracting process.

Subcontractors


Upon the enactment of the Final Omnibus Rule in 2013, all subcontractors of Corizon Health's Business Associates are required to comply with the Privacy & Security Rules. This significant legislative change will require Corizon Health to carefully monitor the subcontractors utilized by its business associates for the purpose of ensuring 100% compliance.

Who is a Business Associate?


The appropriate way to determine whether or not a third party individual or entity is a Corizon Health BA is in looking at the activities and/or functions they perform on the Company’s behalf. Typical activities or functions performed by a BA for or on behalf of a Covered Entity such as Corizon Health include those listed below, provided the activity or function involves the use and/or disclosure of PHI:

Typical Activities / Functions Performed by a Business Associate

Claims Processing Practice Management Services

Data Analysis Legal

Utilization Management Accounting / Actuarial

Quality Assurance Consulting

Benefit Management Management

Third Party Admin Activities Administrative

Who is a Business Associate? (Continued)


To the contrary, if a third party individual or entity performs one or more of the foregoing activities and/or functions on behalf of Corizon Health but, DOES NOT access or use PHI in doing so, no business associate agreement is required. Additionally, if a third party individual or entity is a healthcare provider AND only receives and/or uses PHI in treating a common patient (an individual that is also a patient of Corizon Health), no business associate agreement is required.

In the event you have any questions withregard to Business Associates, pleasecontact the Privacy Officer and/or amember of the Corizon HealthLegal Department.

Documenting “Non-Routine” Disclosures of PHI


Under the Privacy Rule, Corizon Health is required to provide patients with an accounting of all “Non-Routine” Disclosures of PHI made for up to six (6) years prior to the date of the patient’s request. Employees MUST document all “Non-Routine” disclosures of PHI in the PHI Non-Routine Disclosure Log.

Documenting “Non-Routine” Disclosures of PHI(Continued)


Disclosure of PHI to a Health Oversight Agency(CMS, State DHS, SSA)

Disclosures of PHI made pursuant to a Court orAdministrative Agency Order

Disclosures of PHI made pursuant to a subpoena

Disclosures of PHI made pursuant to a request by a law enforcement agency

Disclosures of PHI made to avoid a serious threat tohealth or safety

Disclosures of PHI made to a public health agency (state or local public health authority)

Documenting “Non-Routine” Disclosures of PHI(Continued)


When documenting “Non-Routine” Disclosures of PHI, Corizon Health must record the following information in the PHI Non-Routine Disclosure Log:

Date of the disclosure

Name and address of the person or organization who received the disclosure

Brief description of the PHI disclosed

Purpose for which the information was disclosed

In the event an Employee has further questions about the documentation requirements for “Non-Routine” Disclosures ofPHI, they should contact their site Super User or the Privacy Officer.

Patient’s Right to Access PHI


As a general rule, HIPAA gives patients certain rights regarding their PHI, including, but not limited to, the right to inspect or obtain a copy of their medical records. Additionally, specialized rules may apply if the patient is legally considered a minor.

However, because inmates do not have the same rights as other patients under HIPAA, Corizon Health may deny an inmate’s request to inspect or obtain a copy of his or her PHI if it would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates, or the safety of an Employee or the correctional staff of the facility.

What Rights Do Minors Have?


HIPAA addresses issues surrounding parental rights relative to a minor (a person who has not reached the legal age of majority) under the regulations dealing with “personal representatives.”

HIPAA defines a “personal representative” as a person authorized under applicable law to make health care decisions on another individual’s behalf.

It is important to know that HIPAA takes a deferential approach to patient rights when it comes to dealing with patients who have not reached the legal age of majority (minors).

As a general rule, HIPAA gives minors the right to exercise control over their own PHI (including restrictions on access) IF, under state law, the minor in question obtained or could have obtained the medical treatment to which the PHI pertains, WITHOUT parental consent.

As is the case with all legal rules, there is an EXCEPTION: If the state law allows or prevents the disclosure of a minor’s PHI to a parent or guardian (personal representative), HIPAA defers to the state law.

What Rights Do Minors Have? (Continued)


CAUTION: When dealing with minors and their rights with regard to PHI, you should consult the legal department as to what state law allowsand/or requires.

These situations should be addressed on a case by case basis as there are other legal scenarios where a minor is permitted to restrict access to his or her own PHI (e.g. in cases of abuse or neglect, where PHI involves substance abuse and/or mental health).

Corizon Health Privacy Officer


Corizon Health has designated a HIPAA Privacy Officer whose responsibilities include ensuring HIPAA compliance among all Employees.

The Corizon Health Privacy Officer is:Maya Patel12647 Olive Boulevard, Suite 400St. Louis, MO 63141Telephone: 314.919.8817Email: [email protected]

Safeguarding PHI – Key Provisions


Comprehensive Privacy and Security Policies and Procedures have been developed in order to safeguard PHI. The Corizon Health Privacy and Security Policies & Procedures are available for reference at http://hipaa.corizonhealth.com and in paperform at the site level. Key provisions include the following:

All current Employees and all new Employees will receive compliance training consistent with the Corizon Health Privacy and Security Policies and Procedures

Only authorized Employees willhave access to PHI

Access to all PHI will be monitored

Safeguarding PHI – Key Provisions (Continued)


Before disclosing PHI for any purpose other than for treatment, payment or health care operations, an Employee should consult the Corizon Health Privacy and Security Policies and Procedures and determine the following:

If the disclosure is permitted

If a patient authorization is required for the disclosure

If the disclosure must be documented

Safeguarding PHI – Key Provisions (Continued)


If an employee cannot determine with certainty whether a disclosure is permitted, requires patient authorization, or must be documented, the Employee must contact the Super User or Privacy Officer for clarification.

Employee Privacy Responsibilities


All Employees must do the following:

COMPLY:

MINDFUL:

ACCESS:

Comply with Corizon’s Privacy andSecurity Policies and Procedures;

Be mindful of privacy issuespertaining to the use and disclosure of PHI;

Ensure that only authorized Employees access PHI;

Employee Privacy Responsibilities (Continued)


BEFORE:

REFRAIN:

NOTIFY:

Before disclosing PHI, consult the Privacy and Security Policies and Procedures to determine if a patient authorization is required for the disclosure and whether or not the disclosure must be documented;

Refrain from discussing PHI in common or unsecured areas (e.g. elevators, lobbies, etc.); and

Notify the Privacy Officer if he or she believes that a Privacy and/or Security Policies and Procedure has been violated

Topic 2 – Privacy Rule – Conclusion











Topic 3


Security Rule


The Security Rule


The HIPAA Security Rule became effective on April 20,2005, and set a national standard for protection of the confidentiality, integrity, and availability of electronicPHI when it is stored (at rest), maintained, or transmitted.

The Security Rule sets forth the standards and processes that are required to protect the confidentiality, integrity, and availability of electronic PHI in the form of Administrative, Physical, and Technical *Safeguards (*covered on next page).

The Security Rule


Administrative Safeguard Example

Requiring authorization for Employees to access electronic PHI

Physical Safeguard Example

Maintaining secure workstations to avoid the incidental viewing of PHI

Technical Safeguard Example

Continuously monitoring all access attempts to electronic PHI

Corizon Health Security Officer


Corizon Health has designated a Security Officer whose responsibilities include ensuring compliance with Corizon’s Security Policies and Procedures.

The Corizon Health Security Officer is:

Jacob Arthur103 Powell CourtBrentwood, TN 37027

Email: [email protected]

Employee Security Responsibilities


All Employees must do the following:

ADHERE:

AVOID:

AVOID:

LOCK/LOG OFF:

REPORT

Comply with Corizon’s Privacy and Security Policies and Procedures;

Avoid the use of common or obvious passwords;

Avoid sharing passwords with anyone;

Lock or log off workstations whenever leaving them unattended;

Promptly report any suspected security violations to the Security Officer.

Corizon Encryption Policy

When sending PI or PHI via email to a domain address other than “Corizonhealth.com.”, you must encrypt the communication.

Adding any one of the following key words: encryptme, [ENCRYPT], or [SEND SECURE] to the subject line of the email, will send the message through our secure email gateway.

Failure to do so could result in a breach of the PHI.

Prohibited Email Activity

You MAY NOT send any PHI from any personal email account or other non Corizonhealth email account, like a DOC or county email address.

When you send an email that contains PHI outside the Corizonhealth.com domain, it needs to be sent from a corizonhealth.com email address and be encrypted.

DO NOT USE your DOC or county email address to communicate with employees or the corporate office regarding any PHI.

If you do so, corrective action, up to and including termination, may result.

Topic 3 – Security Rule – Conclusion











Topic 4

Time to complete Topic

Reporting/Enforcement


Objectives

Upon completing this Topic, you should understand the following:

• How the HITECH Act of 2009 and the Final Omnibus Rule affect Corizon Health and its Employees

• What enforcement measures can be taken in the event our Employees run afoul of compliance.

Because the exchange of health information is important for all health care providers and their patients, legislators are constantly looking for ways to modify and /or improve the rules surrounding such. The Final Omnibus Rule is one example of a recent legislative update which increased many of the duties a health care provider has with regard to information privacy and security.


Privacy and Security Violations

Employees that fail to follow the Privacy and Security Policies and Procedures will be subject to appropriate disciplinary actions as set forth under HIPAA.

In the event that an Employee believes that a Privacy and/or Security Policy and Procedure has been violated, the Employee should:

Notify the Privacy or Security Officer immediately

Assist the Privacy or Security Officer to take whatever steps are practicable to mitigate (minimize) the harm from the violation


HIPAA Enforcement: Key Facts


DELEGATED AUTHORITY:

On December 20, 2000, the Department of Health and Human Services secretary delegated the authority to administer and enforce the Privacy and Security Standards to the Office of Civil Rights (OCR).

The OCR enforcement process is complaint driven and provides any individual who believes that a HIPAA Covered Entity is not complying with the HIPAA Rules the right to file a complaint.

OCR ENFORCEMENT



OCR has the power to assess civil money penalties against Corizon Health (a covered entity) if an Employee violates HIPAA. Specifically, OCR may assess civil monetary penalties against Corizon Health for up to $50,000 per “violation” and up to $1,500,000 each calendar year for “identical violations” which are not corrected.

MONEY PENALTIES:

HIPAA mandates strict civil and criminal penalties for violations of the Privacy and Security Standards.

HIPAA MANDATES:



Criminal charges may be brought and enforced by the Department of Justice against Covered Entities or their employees (individually) if an offense is committed with intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm. Violators (covered entities and/or their individual employees) may be fined up to $250,000, imprisoned for up to 10 years, or both.

CRIMINAL CHARGES:

HITECH

HITECH proposed several modifications to HIPAA, many of which were enacted into law through the Final Omnibus Rule, effective March 26, 2013.


Topic 4 – Reporting/Enforcement – Conclusion











Topic 5


Scenarios


Privacy and Security Violations (Scenario 1)

A local state representative has been contacted by one of his constituents expressing concerns for their son’s medical care while incarcerated and has called your site demanding a copy of the inmate’s medical records and to speak with the treating provider. The appropriate action would be to send a copy over to the representative since he is a government employee.


YES NO

Correct Answer: NoWithout a properly executed, HIPAA compliant authorization signed by the inmate, the site may not release any information to the state representative, regardless of his position in the Legislature.

Privacy and Security Violations (Scenario 2)

A terminally ill patient has recently died. During his incarceration, he was never visited by any family member nor had any contact with family. Upon his death, his daughter is now demanding a copy of his medical records. The daughter has provided no evidence that she is the personal representative of the estate.

The appropriate action would be to provide the inmate’s health record to the attorney.


YES NO

Correct Answer: NoIn order to provide a deceased patient’s records to a family member, the family member must present documentation evidencing that they have been appointed personal representative of the estate. The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the patient.

Scenarios Behind Bars (Scenario 3)

The mother of a MINOR inmate contactsmedical and informs you of the following:

She saw her son at a visit today, and he toldher that he is not getting his medication and

that we put him on medication he doesnot want to take. It is obvious that she

is reporting accurate information.

Can you discuss her son’s healthcare with her because you realize that she has this information?


YES NO

Correct Answer: NoThe Employee must consult the Legal Department as to the policy governing disclosure of PHI to a “Personal Representative” of a minor.

Scenarios Behind Bars (Scenario 4)

The mother of an ADULT inmate contacts medical and informs you of the following:

She saw her son at a visit today and he told her that he is not getting his medication and that we put him on medication he does not want to take. It is obvious that she is reporting accurate information.

Can you discuss her son’s healthcare with her because you realize that she has this information?


YES NOCorrect Answer: NoThe mother needs to provide verification that she has been authorized / designated as the inmate’s personal representative via a standard Corizon Health Authorization Form, prior to any PHI being released / discussed / disclosed.

Topic 5 – Scenarios – Conclusion











Slides Completed –Go To Quiz

Great Job!

You have completed viewing the 5 Topics.

Please proceed, as instructed by your site Super User, to the Quiz.

A separate Quiz and Answer sheet will be provided to you.

HIPAA Field Training 2015hipaa.corizonhealth.com › docs ›...

Documents

Transcript of HIPAA Field Training 2015hipaa.corizonhealth.com › docs ›...