OVERVIEW OF THEOVERVIEW OF THE HIPAA PRIVACY RULEHIPAA PRIVACY RULE

andandPOLICIESPOLICIES

Presented by:Presented by:

Barbara Lee PeaceBarbara Lee Peace

Facility Privacy OfficialFacility Privacy Official

Coliseum Medical CentersColiseum Medical Centers

COMPLIANCE DEADLINECOMPLIANCE DEADLINE

HIPAA Privacy RuleHIPAA Privacy Rule

April 14, 2003April 14, 2003

What is HIPAA?What is HIPAA? HIPAA is the acronym for the Health HIPAA is the acronym for the Health

Insurance Portability and Insurance Portability and Accountability Act of 1996.Accountability Act of 1996.

It’s a Federal lawIt’s a Federal law

Provides continuity of healthcare Provides continuity of healthcare coveragecoverage

Administrative Simplification Administrative Simplification ??????

Recognized need to improve Recognized need to improve protection of health privacyprotection of health privacy

Response by Congress for Response by Congress for healthcare reformhealthcare reform

Affects all healthcare industryAffects all healthcare industry

HIPAA is mandatory, penalties for HIPAA is mandatory, penalties for failure to complyfailure to comply

Transactions

•Requires standardized transaction content, formats, diagnostic & procedure codes, national

identifiers for healthcare EDI transactions.

Privacy

•Establishes conditions that govern the use and disclosure of individually identifiable health

information.

•Establishes patient rights in regard to their protected health information (PHI).

Security

•Establishes requirements for protecting the confidentiality, availability and integrity of individually identifiable health information.

Civil

For failure to comply with transaction standards

$100 fine per occurrence; up to $25,000 per year

Criminal

For health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses

Penalties higher for actions designed to generate monetary gain

up to $50,000 and one year in prison for obtaining or disclosing protected health information

up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"

up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm

Why do we need HIPAA?Why do we need HIPAA? 1996 - In Tampa, a public health worker sent to 1996 - In Tampa, a public health worker sent to

two newspapers a computer disk containing the two newspapers a computer disk containing the names of 4,000 people who tested positive for names of 4,000 people who tested positive for HIV.HIV.

2000 - Darryl Strawberry’s medical records 2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were from a visit to a New York hospital were reviewed 365 times. An audit determined less reviewed 365 times. An audit determined less than 3% of those reviewing his records had even than 3% of those reviewing his records had even a remote connection to his care.a remote connection to his care.

2001 – An e-mail was sent out to a Prozac 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the informational listserv members revealing the identities of other Prozac users.identities of other Prozac users.

Closer to HomeCloser to Home

Title II - Administrative Title II - Administrative Simplification Simplification Federal Law vs. State Laws Protect health insurance coverage, improve access

to healthcare Reduce fraud and abuse Establish new pt rights and privacy control by

establishing common transaction sets for sending and securing pt information

Improve efficiency and effectiveness of healthcare Reduce healthcare administrative costs (electronic

transactions) ???

Who must comply?Who must comply? HIPAA applies to all Covered Entities HIPAA applies to all Covered Entities

(CE) that transmit protected health (CE) that transmit protected health information electronically such as..information electronically such as..

Health PlanHealth Plan

Health Care ClearinghouseHealth Care Clearinghouse

Health Care ProviderHealth Care Provider

Unlike Y2K, HIPAA compliance does not end.

Confidentiality

The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.

Practicing PrivacyPracticing Privacy Treat all information as if it were Treat all information as if it were

about you or your family.about you or your family. Access only those systems you are Access only those systems you are

officially authorized to access.officially authorized to access. Use only your own User ID and Use only your own User ID and

Password to access systems.Password to access systems. Access only the information you need Access only the information you need

to do your job.to do your job.

Practicing PrivacyPracticing Privacy Refrain from discussing Refrain from discussing

patient information in patient information in public places.public places.

Create a “hard to guess” Create a “hard to guess” password and never share password and never share it.it.

Log-off or lock your Log-off or lock your computer workstation computer workstation when you leave it.when you leave it.

HIPAA MYTHS

WHITE BOARDS SIGN IN SHEETS PAGING CALLING OUT

NAMES NAMES ON DOORS STRUCTURES TO

PREVENT DISCLOSURES

Oral Communications

The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others:

Staff may oral communicate at the nursing stationsHealth care professionals may discuss a pt’s

treatment in a joint treatment areaHealth care professionals may discuss a pt’s

condition during patient rounds

Common Common Terminology/AbbreviationsTerminology/Abbreviations (not all inclusive)(not all inclusive)

Affiliated Covered Entity (ACE) – Entities Affiliated Covered Entity (ACE) – Entities under common ownership or control may under common ownership or control may designate themselves as an ACE. Uses and designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent disclosures of PHI are permitted w/out consent or authorization under TPO.or authorization under TPO.

Treatment, Payment or Healthcare Operations Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes (TPO) – business practices hospital undergoes for daily functions and srvcsfor daily functions and srvcs

Terminology, Con’tTerminology, Con’t

Covered Entity (CE) – A health plan, Covered Entity (CE) – A health plan, healthcare clearing house, healthcare healthcare clearing house, healthcare provider who transmits any health provider who transmits any health information in connection to a information in connection to a transaction.transaction.

Designated Record Set (DRS) – Includes Designated Record Set (DRS) – Includes medical record and billing information, medical record and billing information, in whole or in part, by or for the covered in whole or in part, by or for the covered entity to make decisions about patientsentity to make decisions about patients

Terminology, Con’t.Terminology, Con’t.

Business Associate (BA) – Person, Business Associate (BA) – Person, business or other entity who, on behalf of business or other entity who, on behalf of organization covered by regulations, organization covered by regulations, performs or assists in performing performs or assists in performing function/activity involving use or function/activity involving use or disclosure of PHI.disclosure of PHI.

Patient Health Information (PHI) – any Patient Health Information (PHI) – any identifying piece of info on pt – identifying piece of info on pt –

Terminology - Terminology - What is PHI?What is PHI? Protected Health Information (PHI) is the medical record Protected Health Information (PHI) is the medical record

and any other individually identifiable health information and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). care operations (TPO). (Secure Bins)(Secure Bins)

NameName AddressAddress Photo imagesPhoto images Any dateAny date Telephone/Fax Telephone/Fax

numbersnumbers Social Security NumberSocial Security Number

Medical record numberMedical record number Health plan beneficiary Health plan beneficiary

numbernumber Account numberAccount number Any other unique Any other unique

identifying number, identifying number, characteristic, or code.characteristic, or code.

Terminology, con’tTerminology, con’t

Organized Health Care Arrangement Organized Health Care Arrangement (OHCA) – A clinically integrated care (OHCA) – A clinically integrated care setting in which individuals typically setting in which individuals typically receive health care from more than one receive health care from more than one provider, e.g., medical staff, radiologist provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, phys group, ER phys group, volunteers, clergy, etc.clergy, etc.

Terminology, Con’tTerminology, Con’t

Notice of Privacy Practices Notice of Privacy Practices (NOPP)(NOPP)

Disclosure of how PHI is usedDisclosure of how PHI is used Directory policyDirectory policy Confidential CommunicationsConfidential Communications Right to AccessRight to Access Right to AmendRight to Amend Accounting for DisclosuresAccounting for Disclosures Right to request restrictions on certain uses Right to request restrictions on certain uses

and disclosuresand disclosures FPO contact informationFPO contact information Formal complaint processFormal complaint process

When can we use PHI?When can we use PHI? We can use PHI for Treatment, We can use PHI for Treatment,

Payment and Healthcare Operations Payment and Healthcare Operations (TPO).(TPO).

Business Associates (BA)Business Associates (BA)

Affiliated Covered Entity (ACE)Affiliated Covered Entity (ACE)

Organized Health Care Organized Health Care Arrangement (OHCA)Arrangement (OHCA)

Do you need to knowDo you need to knowthis information to do this information to do

your job?your job?“need to know basis”“need to know basis”

((Appropriate Access Policies)Appropriate Access Policies)

MINIMUM NECESSARY MINIMUM NECESSARY INFOINFOFacility uses and discloses the minimum Facility uses and discloses the minimum amount of PHI necessary to accomplish amount of PHI necessary to accomplish the intended purpose.the intended purpose.

Applies whether the hospital is sharing, Applies whether the hospital is sharing, examining or analyzing PHI, or whether examining or analyzing PHI, or whether we are responding to a request outside we are responding to a request outside the facility.the facility.

POLICIES

9 CORPORATE POLICIES

23 FACILITY POLICIES

CORPORATE POLICIESCORPORATE POLICIES

PATIENT PRIVACY PATIENT PRIVACY PROGRAM PROGRAM

REQUIREMENTSREQUIREMENTS

HIM.PRI.001HIM.PRI.001LISTS ALL PROGRAM LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONSREQUIREMENTS AND DEFINITIONS

Privacy Official PolicyPrivacy Official Policy

Policy HIM.PRI.002Policy HIM.PRI.002

Barbara Lee Peace , FPOBarbara Lee Peace , FPO

Facility Privacy Official, Facility Privacy Official,

Ext 1682Ext 1682

Gayla White, LSCGayla White, LSC

Local Security CoordinatorLocal Security Coordinator

Ext 1419Ext 1419

PATIENT PRIVACY PATIENT PRIVACY PROTECTIONPROTECTION

HIM.PRI.003HIM.PRI.003Defines individual’s Defines individual’s responsibility in protecting responsibility in protecting PHIPHI““Need to Know is basis” for Need to Know is basis” for accessaccess

Right to AccessRight to AccessHIM.PRI.004HIM.PRI.004

Individuals have the right to inspect and obtain a copy of Individuals have the right to inspect and obtain a copy of their PHI.their PHI.

Facility/PASA will provide a readable hard copy of Facility/PASA will provide a readable hard copy of portions of DRS requested.portions of DRS requested.

On-line access not available at this timeOn-line access not available at this time

Individuals with system access are not permitted to Individuals with system access are not permitted to access their record in any system.access their record in any system.

Facility must act on request for access no later than 30 Facility must act on request for access no later than 30 daysdays

Requests should be forwarded to the HIM Dept (unless Requests should be forwarded to the HIM Dept (unless Referral/Industrial or billing info)Referral/Industrial or billing info)

May charge for copy according to GA CodeMay charge for copy according to GA Code

RIGHT TO AMENDRIGHT TO AMENDHIM.PRI.005

Individuals have the right to amend PHI contained in the DRS for as long as the information is maintained.

For the intent of this policy, amend is defined as the pt’s right to add to information (append) with which he/she disagrees, and does not include deleting or removing or otherwise changing the content of the record.

Requests for Amendment must be forward to the FPO for processing.

RIGHT TO REQUEST PRIVACY RIGHT TO REQUEST PRIVACY RESTRICTIONSRESTRICTIONSHIM.PRI.006HIM.PRI.006

Patients will be provided the right to Patients will be provided the right to request restriction of certain uses and request restriction of certain uses and disclosures of PHI.disclosures of PHI.

Requests for such restrictions must be Requests for such restrictions must be made in writing to the FPO.made in writing to the FPO.

RIGHT TO REQUEST PRIVACY RIGHT TO REQUEST PRIVACY RESTRICTIONSRESTRICTIONSNo other employee or physician may No other employee or physician may process such a request unless specifically process such a request unless specifically authorized by the FPO.authorized by the FPO.

The facility is not required to act The facility is not required to act immediately and should investigate its immediately and should investigate its ability to meet the request prior to agreeing ability to meet the request prior to agreeing to any restriction.to any restriction.

99% of the time the request will not be 99% of the time the request will not be honored.honored.

RIGHT TO REQUEST RIGHT TO REQUEST PRIVACY RESTRICTIONSPRIVACY RESTRICTIONSFacility must permit pt to request privacy Facility must permit pt to request privacy restriction. FPO or designee is only person who restriction. FPO or designee is only person who may agree to any restrictionmay agree to any restrictionShould not be acted on immediately, rather after Should not be acted on immediately, rather after investigation to ensure facility can accommodate investigation to ensure facility can accommodate requestrequestRequest must be in writing from ptRequest must be in writing from ptIf denied, pt must be notified of denial.If denied, pt must be notified of denial.Request will be filed in med rec or billingRequest will be filed in med rec or billingTermination of request (by facility or pt)Termination of request (by facility or pt)

NOTICE OF PRIVACY NOTICE OF PRIVACY PRACTICESPRACTICESHIM.PRI.007 NOPPHIM.PRI.007 NOPP

NOPP must be given to every patient who NOPP must be given to every patient who physically registers for services (referrals, physically registers for services (referrals, lab specimens thru SNF or HH, etc.) Each lab specimens thru SNF or HH, etc.) Each pt must acknowledge receipt pt must acknowledge receipt (initialing).(initialing).

4 page document outlining patient’s rights 4 page document outlining patient’s rights and notice of all of the ways the facility uses and notice of all of the ways the facility uses and shares a pt’s health info.and shares a pt’s health info.

NOPPNOPP

Explains ACE, OHCA, uses, disclosures, Explains ACE, OHCA, uses, disclosures, rights to access, amend, receive confidential rights to access, amend, receive confidential communications, request restrictions, communications, request restrictions, request accounting of disclosures, how to request accounting of disclosures, how to file complaints, name & # of FPO, and file complaints, name & # of FPO, and more.more.

Notice must be posted throughout the Notice must be posted throughout the facility and on facility web site.facility and on facility web site.

NOPPNOPP

Company-affiliated facilities may not Company-affiliated facilities may not intimidate, threaten, coerce, discriminate intimidate, threaten, coerce, discriminate against, or take other retaliatory action against, or take other retaliatory action against individuals for exercising any rights against individuals for exercising any rights under the HIPAA Privacy Standardsunder the HIPAA Privacy Standards

RIGHT TO REQUEST CONFIDENTIAL RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONCOMMUNICATION

HIM.PRI.008HIM.PRI.008

Patients can request alternate means of Patients can request alternate means of communication for mail and telephone callscommunication for mail and telephone calls

Unacceptable means include fax, e-mail Unacceptable means include fax, e-mail and Internet communicationsand Internet communications

Patient must complete and sign “Request Patient must complete and sign “Request for Confidential Communications” formfor Confidential Communications” form

Form must be submitted to FPO who will Form must be submitted to FPO who will give a copy of the form to the patientgive a copy of the form to the patient

CONFIDENTIAL CONFIDENTIAL

COMMUNICATIONCOMMUNICATION (cont’d)(cont’d)

FPO must notify other parties as appropriate FPO must notify other parties as appropriate (PASA)(PASA)

If alternate phone/address is not accurate, 7 If alternate phone/address is not accurate, 7 days must pass and then FPO will notify all days must pass and then FPO will notify all applicable parties to take appropriate actionapplicable parties to take appropriate action

Patient must complete new form for future if Patient must complete new form for future if original alternate info is incorrectoriginal alternate info is incorrect

If revocation desired by pt, “Conf If revocation desired by pt, “Conf Communication Revocation” form must be Communication Revocation” form must be completedcompleted

CONFIDENTIAL CONFIDENTIAL

COMMUNICATIONCOMMUNICATION (cont’d)(cont’d)

Patients can request alternate means of communication for mail and telephone calls

Unacceptable means include fax, e-mail and Internet communications

Patient must complete and sign “Request for Confidential Communications” form

Form must be submitted to FPO who will give a copy of the form to the patient

ACCOUNTING OF DISCLOSURESACCOUNTING OF DISCLOSURES

HIM.PRI.009 AODHIM.PRI.009 AOD

Individuals have the right to an accounting Individuals have the right to an accounting of disclosures made by the facilityof disclosures made by the facility

Includes written and verbal disclosuresIncludes written and verbal disclosures

Accounting must include the date, Accounting must include the date, description of what was disclosed, statement description of what was disclosed, statement of purpose for the disclosure and to whom of purpose for the disclosure and to whom the disclosure was madethe disclosure was made

AOD AOD (cont’d)(cont’d)

HIM.PRI.009HIM.PRI.009

EXCEPTIONS from Accounting: Uses EXCEPTIONS from Accounting: Uses and disclosures for treatment, payment, and disclosures for treatment, payment, healthcare operations (TPO).healthcare operations (TPO).

*** This is not a system audit trail of user access. This is an accounting of entities to which information has been disclosed***

AOD AOD (cont’d)(cont’d)

Facility must document the AOD and retain the documentation for 6 years.

Types of uses and disclosures that must be tracked for purposes of accounting:

Required by law

Public health activities

Victims of abuse, neglect, or domestic violence unless the healthcare provider believes informing the individual may cause serious harm or believes the individual is responsible for the abuse, neglect, or injury.

Health Oversight activities

Judicial and administrative proceedings

Law enforcement purposes

AODAODDecedents – Coroners and medical examiners OR funeral directors

Cadaveric organ, eye, or tissue donation purposes

Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes

In order to avert a serious threat to health or safety

Specialized gov’t functions (Military or vet activities OR Protective services for the President and others)

Worker’s comp necessary to comply with laws relating to worker’s comp prgms (not including disclosures related to pymt)

AODAODMeditech

Correspondence menu

On the Mox menu

Detailed instructions forthcoming

FACILITY POLICIESFACILITY POLICIES

VERIFICATION OF EXTERNAL VERIFICATION OF EXTERNAL REQUESTORS REQUESTORS Policy assumes requestor is authorized and facility just needs to verify.

Identify verification

1.Valid State/Federal Photo ID

2.Minimum of 3 of the following:

SS#, DOB, one of the following (acct #, address, Insur Carrier,card or policy #, MR #, Birth certificate)

1.Positive match signature

VERIFICATION VERIFICATION (CONT’D)(CONT’D)

Unacceptable forms of identification:

•Employment ID card/Student ID card

•Membership ID cards

•Generic billing statements (utility bills)

•Supplemental Security card (SSI)

•Credit cards (photo or non-photo)

VERIFICATION VERIFICATION (CONT’D)(CONT’D)

Third –Party & Company identification methods:

•Letterhead

•Email address

•Fax Coversheet with company logo

•Photo ID

•If in doubt, follow-up via telephone

OPTING OUT OF DIRECTORYOPTING OUT OF DIRECTORYComparable to “no press, no info” as we Comparable to “no press, no info” as we know itknow it

Must be in writing by ptMust be in writing by pt

Pt access will handle if requested butPt access will handle if requested but

Nursing may have to handleNursing may have to handle

MUST inform of patient of effects, MUST inform of patient of effects, e.ge.g., no ., no delivery of flowers, callers/visitors told no delivery of flowers, callers/visitors told no such pt, pt must notify family/friends of such pt, pt must notify family/friends of exact location, no clergy visitsexact location, no clergy visits

OPTING OUT (cont’d)OPTING OUT (cont’d)

Will be handled the same in MeditechWill be handled the same in Meditech

If in Directory, the following info If in Directory, the following info willwill be be released to members of clergy & other persons released to members of clergy & other persons who ask for patient by name:who ask for patient by name:

•Pt namePt name

•LocationLocation

•Condition in general termsCondition in general terms

•Religious affiliationReligious affiliation

OPTING OUT (cont’d)OPTING OUT (cont’d)Opt Out form must be distributed to Opt Out form must be distributed to PAD and other appropriate dept’s to PAD and other appropriate dept’s to ensure pt is listed confidential and must be ensure pt is listed confidential and must be documented in med rec (change to conf in documented in med rec (change to conf in Meditech)Meditech)

If pt asks to opt out during scheduling, If pt asks to opt out during scheduling, OR, Rad, etc. must notify Pt Access & OR, Rad, etc. must notify Pt Access & FPOFPO

Gallup Survey upload fileGallup Survey upload file

Revocation of opt out – must be in Revocation of opt out – must be in writingwriting

COMPLAINT PROCESSCOMPLAINT PROCESSFiled with facility & DHHSFiled with facility & DHHS

To instill a measure of accountabilityTo instill a measure of accountability

FPO must be notifiedFPO must be notified

Complaint must be in writingComplaint must be in writing

Steps taken to identify &/or correct any Steps taken to identify &/or correct any privacy deficienciesprivacy deficiencies

Disposition of investigation by FPO to Disposition of investigation by FPO to complainant and logged in complaint logcomplainant and logged in complaint log

RELEASE TO LAW RELEASE TO LAW ENFORCEMENT, JUDICIALENFORCEMENT, JUDICIAL

State law pre-empts if more State law pre-empts if more strictstrict

Outlines proper acceptance Outlines proper acceptance & response to:& response to:

Court order for judicial or Court order for judicial or administrative proceedings.administrative proceedings.

LAW ENFORCEMENT (cont’d)LAW ENFORCEMENT (cont’d)

•Subpoena or Discovery Request Not Subpoena or Discovery Request Not Accompanied by court order. Pt must be given Accompanied by court order. Pt must be given notice and ample time to object.notice and ample time to object.

•Law Enforcement – Disclosure is permitted Law Enforcement – Disclosure is permitted under specific circumstances.under specific circumstances.

ALL requests for release of information should ALL requests for release of information should be referred to the HIM Dept.be referred to the HIM Dept.

CLERGY ACCESSCLERGY ACCESS

Unless a pt is confidential or has requested to Opt Out of the facility directory, members of the clergy will be provided with the following information:

a.Name of pt

b.Condition in general terms

c.Location/Room Number

CLERGY ACCESSCLERGY ACCESSIf the pt, during nursing assessment, asks for his or her clergy to be notified, the nursing staff should handle notification according to the facility’s current process.

USES AND DISCLOSURES OF USES AND DISCLOSURES OF PROTECTED HEALTH PROTECTED HEALTH INFORMATIONINFORMATION

Required When:Required When:

Outside of TPOOutside of TPO

ResearchResearch

Psychotherapy notes Psychotherapy notes (unless to carry out (unless to carry out TPO)TPO)

New Authorization Form will replace New Authorization Form will replace existing formexisting form

RELEASING UNDER THE PUBLIC RELEASING UNDER THE PUBLIC GOODGOOD

PHI may be released to other covered PHI may be released to other covered health care providers w/out patient health care providers w/out patient authorization for public good purposesauthorization for public good purposes

Public good exception permits Public good exception permits disclosures in certain situations including, disclosures in certain situations including, but not limited to, the following:but not limited to, the following:

PUBLIC GOODPUBLIC GOOD (cont’d)(cont’d)

Required by lawRequired by law

About victims of abuse, neglect, or domestic About victims of abuse, neglect, or domestic violenceviolence

Law enforcement purposesLaw enforcement purposes

For organ procurementFor organ procurement

To avert a serious threat to health or safetyTo avert a serious threat to health or safety

Worker’s comp or other similar programWorker’s comp or other similar program

Other situations (gov’t, disaster relief, etc)Other situations (gov’t, disaster relief, etc)

PRIVACY MONITORING

Security CommitteeSecurity Committee

Random AuditsRandom AuditsAudits of employees with broad Audits of employees with broad accessaccessAudits across campusesAudits across campusesAudits of all employee recordsAudits of all employee records

PRIVACY MONITORINGLevel and Definition of Violation:

Level I Accidental and/or due to lack of proper educationLevel II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violationsLevel III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status

Examples of Violations:

Failing to sign off a computer terminal when not using it

Accessing own record

Accessing a record without having a legitimate reason to do so

Sharing passwords

Improper use of e-mail

Using unlicensed software on HCA computers

Physician self-assigning without obtaining authorization

SANCTIONS FOR PRIVACY SANCTIONS FOR PRIVACY VIOLATIONSVIOLATIONSSecurity CommitteeSecurity Committee

In current hospital policiesIn current hospital policies

Violations must be documentedViolations must be documented

Levels of violationLevels of violation

•Accidental/lack of educationAccidental/lack of education

•Purposeful or unacceptable # of previous Purposeful or unacceptable # of previous violationsviolations

•Purposeful with associated potential patient Purposeful with associated potential patient harmharm

Disclosures to Other Health Care Disclosures to Other Health Care ProvidersProviders

May disclose for healthcare purposesMay disclose for healthcare purposesVerify requestorVerify requestorMedical Staff is member of OHCAMedical Staff is member of OHCA

Designated Record SetDesignated Record Set

Policy HIM

Includes:

Medical records and billing records for CMC used in whole or part to make healthcare decisions about patients.

**Information from another facility

- received before patient discharged

Privacy Fundraising Privacy Fundraising RequirementsRequirements In general, individual patient In general, individual patient

authorization must be obtained to use or authorization must be obtained to use or disclose a patient’s PHI for fundraising disclose a patient’s PHI for fundraising purposes.purposes.

Does not apply to CHSDoes not apply to CHS

Education RequirementsEducation Requirements

All employees must be educated prior to All employees must be educated prior to entering the work forceentering the work forceEducation must be at onset and at least Education must be at onset and at least annuallyannuallyMust be documentedMust be documented

FAX POLICY

CHECK NUMBERSCHECK NUMBERSREPORT WRONG FAXES TO FPOREPORT WRONG FAXES TO FPOALWAYS USE COVER SHSETALWAYS USE COVER SHSETFAXBOXFAXBOX

MARKETING POLICIY

A patient authorization is required A patient authorization is required and must and must

be obtained for any uses or disclosures be obtained for any uses or disclosures

of PHI for purposes of marketing of PHI for purposes of marketing

under the HIPAA Privacy Standards.under the HIPAA Privacy Standards.

DEIDENTIFICATION

Policy addresses how to deidentifyPolicy addresses how to deidentify

data if releasing.data if releasing.

LIMITED DATA SET

Allows for submission of a Allows for submission of a

limited data set in limited data set in

certain situations.certain situations.

RELEASE TO FAMILY ANDFRIENDS

Better known as “Passcode Policy”Better known as “Passcode Policy”

requires passcode at nursing units/and requires passcode at nursing units/and

other care units when releasing infoother care units when releasing info

on patients.on patients.

MINIMUM NECESSARY INFORMATION

Company wants to be sure that everyone isCompany wants to be sure that everyone is

adhering to making sure that employeesadhering to making sure that employees

have only the minimum necessaryhave only the minimum necessary

information to do their jobs.information to do their jobs.

POLICIES POSTED

ATLAS– Policies & Procedures

• CHS

• HIPAA– Facility

– Corporate

– Forms

MOX– Library

– HIPAA

SECURITY

Protecting our patient'sProtecting our patient'sprivacy is part of the privacy is part of the

quality care we provide atquality care we provide atColiseum Medical Centers Coliseum Medical Centers

– It’s the Law –– It’s the Law –

Email and Internet AccessEmail Systems and the Internet:

-Are for business purposes only

-Are monitored by corporate and CHS Information Services

-Any information passing to or through them is the property of the Company

 

Email Systems and Internet access may NEVER be used for:

--Offensive jokes or language

-Anything that degrades a race, sex, religion, etc.

-“Hate” mail – to harass, intimidate or threaten another person

-Forwarding chain letters

-Emails for want ads, lost and found, notification of events (wedding or other invitations) other than HCA sponsored events

-Access to “prohibited internet sites” containing pornography, “hate” sites, chat sites and gaming sites

  

The use of HCA’s information systems assets to access such sites is STRICTLY The use of HCA’s information systems assets to access such sites is STRICTLY PROHIBITED!PROHIBITED!

-Any purpose which is illegal, against Company policy, or contrary to the -Any purpose which is illegal, against Company policy, or contrary to the Company’s best interestCompany’s best interest

  

Email Systems and Internet access violations are:

-Handled by our CHS Security Committee and will become a part of your personnel record in Human Resources

-Grounds for disciplinary action up to, and including, termination of employment and/or legal action

If you receive an email in violation of our policies or know of any inappropriate Email/Internet usage, please notify our Local Security Coordinator (LSC), Gayla White, or our Hospital Director of Information Services (HDIS), Joan Morstad at 765-4127 or by Outlook or MOX.

Remember adherence is neither voluntary nor optional.Remember adherence is neither voluntary nor optional.

Incident ReportingYour Local Security Coordinator, Gayla White, is your first contact for questions or to report any known or potential security issues. The Hospital Director of Information Services, Joan Morstad, supports technical issues including Security and Security issues. The Facility Privacy Officer, BarbaraLee Peace, will receive complaints about patient privacy.

 

A security breach is any deviation from the HCA – Information Technology and Services Policies, Procedures and Standards.

 

Violation levels and respective disciplinary actions are outlined in the AA.C.ENFORCE policy located on InSight – the CHS Intranet.

 

System access will be routinely reviewed through the use of conformance and monitoring audit reports viewed by the Local Security Coordinator and the Facility Security Committee.

 

Level and Definition of Violation:Level I Accidental and/or due to lack of proper educationLevel II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violationsLevel III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status

Examples of Violations:

Failing to sign off a computer terminal when not using it

Accessing own record

Accessing a record without having a legitimate reason to do so

Sharing passwords

Improper use of e-mail

Using unlicensed software on HCA computers

Physician self-assigning without obtaining authorization

 

Examples of Discipline:Retraining and discussion of policy / Oral warning or reprimand

Written warning Termination of user privileges or contracts

Termination of employment

REMEMBER

Be aware of the systems you use and report any

violations of policy.

LOG IN SUCCESS OR FAILURELog-in success or failure is a general term for end user Log-in success or failure is a general term for end user

awareness and training including their understanding of awareness and training including their understanding of their responsibility to ensure the protection of the their responsibility to ensure the protection of the

information they work with and their ability to recognize information they work with and their ability to recognize normal and abnormal system functionality.normal and abnormal system functionality.

  

Information Security in the healthcare industry means Information Security in the healthcare industry means protecting employee and company information, but also protecting employee and company information, but also includes the patient information gathered in behalf of a includes the patient information gathered in behalf of a

patient during treatment.patient during treatment.   

WHAT ARE GOOD INFORMATION SECURITY WHAT ARE GOOD INFORMATION SECURITY PRACTICES? PRACTICES? 

1.     Treat all information as if it were about you or your 1.     Treat all information as if it were about you or your family.family.

2.     Access only those systems you are officially authorized 2.     Access only those systems you are officially authorized to access.to access.

3.     Take reasonable measures to shield sensitive and 3.     Take reasonable measures to shield sensitive and confidential information from casual view such as confidential information from casual view such as positioning workstations away from public view.positioning workstations away from public view.

4.     Minimize the storage of confidential information on a 4.     Minimize the storage of confidential information on a local workstation.local workstation.

5.     Always exit the system before leaving work.5.     Always exit the system before leaving work.

6.     Access only the information you need to do your job.6.     Access only the information you need to do your job.

Read the Information Security Guide that is available on Read the Information Security Guide that is available on ATLAS under Information Technology ATLAS under Information Technology

Services>Security>Awareness Education>Security Guide. Services>Security>Awareness Education>Security Guide.

Certain kinds of Internet/email use require large amounts Certain kinds of Internet/email use require large amounts of network bandwidth and, when multiplied by too many of network bandwidth and, when multiplied by too many

users, can actually monopolize our system resources. These users, can actually monopolize our system resources. These “bandwidth hogs” can slow or even shut down the “bandwidth hogs” can slow or even shut down the computer systems we need for day-to-day work.computer systems we need for day-to-day work.

  

WHAT IMPACTS OUR SYSTEMS?WHAT IMPACTS OUR SYSTEMS?

  

1.     Internet images/graphics accessed on your web 1.     Internet images/graphics accessed on your web browser.browser.

2.     Pictures/graphics sent by email using the Company 2.     Pictures/graphics sent by email using the Company email system.email system.

3.     Internet news sites, using either streaming audio or 3.     Internet news sites, using either streaming audio or streaming video.streaming video.

4.     MP3 (music) files downloaded from the Internet.4.     MP3 (music) files downloaded from the Internet.

  

  

Take a close look at how you use the Company’s network Take a close look at how you use the Company’s network to ensure that your Internet habits don’t contribute to a to ensure that your Internet habits don’t contribute to a

slowdown of our systems.slowdown of our systems.

  

REMEMBERREMEMBER

Use of the internet plays an important part in keeping ourUse of the internet plays an important part in keeping our

Company’s network performing properly.Company’s network performing properly.

NEED TO KNOWWorkforce members only access systems they are Workforce members only access systems they are

authorized to access. authorized to access. 

Never use a password that does not belong to you. Never use a password that does not belong to you. 

Never give someone else your password.Never give someone else your password.

Always request access to a system through the Always request access to a system through the proper channels.proper channels.

Workforce members access only the information needed to Workforce members access only the information needed to perform a task or job. perform a task or job. 

Never view a patients’ information that is not in Never view a patients’ information that is not in your direct care area.your direct care area.

Never request information from coworkers about a Never request information from coworkers about a family, friend or your own record.family, friend or your own record.

Never access your own record but request information from Never access your own record but request information from Health Information Management.Health Information Management.

  

Workforce members only share sensitive and confidential Workforce members only share sensitive and confidential information with others having a “need to know” to information with others having a “need to know” to

perform their job.perform their job.

  

Never give information about patients in your care area to Never give information about patients in your care area to coworkers outside your care area. coworkers outside your care area. 

Never discuss patient information in elevators, dining areas, Never discuss patient information in elevators, dining areas, or other public places. or other public places. 

Direct all requests for information from coworkers about Direct all requests for information from coworkers about their own or other records to Health Information their own or other records to Health Information

Management.Management.

Keep sensitive and confidential information in a Keep sensitive and confidential information in a locked cabinet or drawer when not in use.locked cabinet or drawer when not in use.

REMEMBERREMEMBER

Only access information that is needed to perform yourOnly access information that is needed to perform your

Duties!!Duties!!

PASSWORD MAINTENANCE

Did you know that guessing or using a known password Did you know that guessing or using a known password makes up about 60% of all successful information security makes up about 60% of all successful information security breaches? This means that creating a secure password is breaches? This means that creating a secure password is

vital to network protection. vital to network protection.

  

You should never write down or give your User ID and You should never write down or give your User ID and password to anyone else and you should never use anyone password to anyone else and you should never use anyone else’s User ID and password. else’s User ID and password. Using or allowing someone to Using or allowing someone to use a User ID and password that was not assigned to them use a User ID and password that was not assigned to them is like giving a stranger your Bank Card and Pin number!!is like giving a stranger your Bank Card and Pin number!!

  

Inferior passwords include:Inferior passwords include:

                Your user ID or Account NumberYour user ID or Account Number

                Your Social Security NumberYour Social Security Number

                Birth, death or anniversary datesBirth, death or anniversary dates

                Family member namesFamily member names

                Your name forward or backwardsYour name forward or backwards

  

  

Good quality password are:Good quality password are:

                      Eight characters or moreEight characters or more

                      Uppercase (A) and lowercase (a) lettersUppercase (A) and lowercase (a) letters

                      Combinations of letters and numbersCombinations of letters and numbers

                      Easy to type and rememberEasy to type and remember

                      Made up of a pass phraseMade up of a pass phrase

A pass phrase is unique and familiar to you, and easy to A pass phrase is unique and familiar to you, and easy to remember, but not easy to guess. Think of a phrase like remember, but not easy to guess. Think of a phrase like “See you later.” For systems that accept numbers and “See you later.” For systems that accept numbers and

special characters, you can substitute letters for words and special characters, you can substitute letters for words and add a special character to transform the phrase into add a special character to transform the phrase into

something like something like CUL8ter!CUL8ter!. For systems that do not accept . For systems that do not accept numbers and special characters, your password might be numbers and special characters, your password might be

CULatERCULatER..

REMEMBERREMEMBER

Your ID and password document work performed andYour ID and password document work performed and

Information reviewed by YOU!!Information reviewed by YOU!!

POLICIES AND STANDARDSHCA relies heavily on computers to meet its operational, HCA relies heavily on computers to meet its operational, financial, and information requirements. The computer financial, and information requirements. The computer

system, related data files, and the derived information are system, related data files, and the derived information are important assets of the company.important assets of the company.

  

POLICIESPOLICIES: A mechanism of internal controls for : A mechanism of internal controls for routine and non-routine receipt, manipulation, storage, routine and non-routine receipt, manipulation, storage,

transmission and/or disposal of health information.transmission and/or disposal of health information.

Facility and Corporate policies are located on Facility and Corporate policies are located on InSightInSight – – the CHS Intranet – under the Policies & Procedures the CHS Intranet – under the Policies & Procedures

section.section.

  

Before being issued a password to CPCS, all employees are Before being issued a password to CPCS, all employees are required to sign the required to sign the AA.C.ENFORCEAA.C.ENFORCE policy describing the policy describing the requirements for discipline when confidentiality breaches of requirements for discipline when confidentiality breaches of

patient or hospital financial information and data are patient or hospital financial information and data are identified, and the identified, and the AA.H.OWNMRAA.H.OWNMR policy identifying the policy identifying the

proper procedure for employees who want to view a copy of proper procedure for employees who want to view a copy of their own medical record.their own medical record.

All system users are responsible for abiding by the policies All system users are responsible for abiding by the policies and procedures established to protect the company’s and procedures established to protect the company’s

information.information.

STANDARDSSTANDARDS: The minimum-security standard : The minimum-security standard requirements for processing information in a secure requirements for processing information in a secure

environment and for helping facilities comply with the environment and for helping facilities comply with the proposed HIPAA (Health Insurance Portability and proposed HIPAA (Health Insurance Portability and

Accountability) Security Rule Accountability) Security Rule

IITT&&SS SSttaannddaarrddss aarree ppuubblliisshheedd oonn AATTLLAASS uunnddeerr IInnffoorrmmaattiioonn TTeecchhnnoollooggyy && SSeerrvviicceess,, iinn tthhee SSeeccuurriittyy sseeccttiioonn.. TThhee llaatteesstt ssttaannddaarrddss tthhaatt hhaavvee bbeeeenn ppuubblliisshheedd aarree::

SSyysstteemm WWaarrnniinngg BBaannnneerr

IIddeennttiiffiiccaattiioonn

AAuutthheennttiiccaattiioonn

EEnnccrryyppttiioonn

WWiirreelleessss NNeettwwoorrkkss

EElleeccttrroonniicc MMaaiill SSyysstteemm

WWoorrkkssttaattiioonn SSeeccuurriittyy

MMoobbiillee CCoommppuuttiinngg

OOppeenn NNeettwwoorrkk SSeeccuurriittyy

SSeeccuurriittyy AAwwaarreenneessss

VViirruuss CCoonnttrrooll

IT&S Standards are published on ATLAS under IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. Information Technology & Services, in the Security section.

The latest standards that have been published are:The latest standards that have been published are:

System Warning BannerSystem Warning Banner

IdentificationIdentification

AuthenticationAuthentication

EncryptionEncryption

Wireless NetworksWireless Networks

Electronic Mail SystemElectronic Mail System

Workstation SecurityWorkstation Security

Mobile ComputingMobile Computing

Open Network SecurityOpen Network Security

Security AwarenessSecurity Awareness

Virus ControlVirus Control

REMEMBER: Each employee is expected to become familiarREMEMBER: Each employee is expected to become familiar

With and abide by our policies and standards.With and abide by our policies and standards.

WORKSTATION SECURITY

Your workstation is any terminal, instrument, device, or Your workstation is any terminal, instrument, device, or location where you perform work.location where you perform work.

Protection of the workstation and its equipment is each Protection of the workstation and its equipment is each employee’s responsibility.employee’s responsibility.

If you leave cash out where the casual observer can see it, If you leave cash out where the casual observer can see it, are you certain it will be there the next time you look? Our are you certain it will be there the next time you look? Our

work-related information is even more valuable!work-related information is even more valuable!

  

Examples of sensitive information that should Examples of sensitive information that should nevernever be left be left unattended:unattended:

  

Patient Identifiable Information. Never leave out Patient Identifiable Information. Never leave out any information that is directly related to or traceable to an any information that is directly related to or traceable to an

individual patient.individual patient.

Departmental Reports. Departmental Reports.

Employee Evaluations or Goals. Keep personal Employee Evaluations or Goals. Keep personal information about you between you and your manager.information about you between you and your manager.

Consulting or Audit Reports. Reports that reveal Consulting or Audit Reports. Reports that reveal intricate details about Company operations or systems intricate details about Company operations or systems

should be protected from outsiders.should be protected from outsiders.

  

To keep your workstation secure be sure to perform a “self To keep your workstation secure be sure to perform a “self audit” and evaluate the information you leave on top of audit” and evaluate the information you leave on top of

your desk.your desk.

Examples of secure workstations:Examples of secure workstations:

        PCs are secured (locked) to a heavy object whenever PCs are secured (locked) to a heavy object whenever possible.possible.

        When not in use, hard copy information, portable When not in use, hard copy information, portable storage, or hand-held devices are kept in a secured (locked) storage, or hand-held devices are kept in a secured (locked)

place.place.

      Information on any screen or paper is shielded from Information on any screen or paper is shielded from casual public view.casual public view.

          Terminals and desk are not left active or unlocked and Terminals and desk are not left active or unlocked and unattended.    Company approved anti-virus software unattended.    Company approved anti-virus software

actively checks files and documents.actively checks files and documents.

          Only company approved, licensed, and properly Only company approved, licensed, and properly installed software is used.installed software is used.

        Portable storage such as disks and tapes are obtained Portable storage such as disks and tapes are obtained from a reliable source.from a reliable source.

        

Backups of electronic information are performed Backups of electronic information are performed regularly.regularly.

Surge protectors are used on all equipment containing Surge protectors are used on all equipment containing electronic information. electronic information.

It is the responsibility of all users who have laptops and It is the responsibility of all users who have laptops and other portable devices to exercise due care (i.e., locking other portable devices to exercise due care (i.e., locking

and/or storing safely) to prevent opportunist theft or loss. and/or storing safely) to prevent opportunist theft or loss.

REMEMBERREMEMBER

It is your responsibility to protect the informationIt is your responsibility to protect the information

resources on your individual work station.resources on your individual work station.

For more information…For more information…

http://www.hipaadvisory.com/http://www.hipaadvisory.com/

http://aspe.os.dhhs.gov/admnsimp/http://aspe.os.dhhs.gov/admnsimp/

http://www.hcfa.gov/http://www.hcfa.gov/

http://www.ahima.org/http://www.ahima.org/

http://www.amahttp://www.ama--assn.org/ama/pub/category/4234.htmlassn.org/ama/pub/category/4234.html