Compliance & HIPAA 2017 Annual Education 1 The purpose of this - - PowerPoint PPT Presentation
Compliance & HIPAA 2017 Annual Education 1 The purpose of this education is to The purpose of this education is to UPDATE and REFRESH understanding of: UPDATE and REFRESH your understanding of: Aultmans Compliance Program. The HIPAA
1
The purpose of this education is to UPDATE and REFRESH understanding of:
The purpose of this education is to UPDATE and REFRESH your understanding
Aultman’s Compliance Program. The HIPAA rules and PROTECTING OUR PATIENT’S confidential information.
2
3
Aultman’s Compliance Program
The Aultman Compliance Program includes SEVEN CORE ELEMENTS as required by the government.
Written policies and procedures and standards of conduct. A Compliance Officer that is accountable and responsible for the program. Effective education and training. Lines of communication for reporting compliance concerns. Disciplinary action for non-compliance. Routine auditing and monitoring to identify risks. Procedures for responding promptly to non-compliance and undertaking corrective action. The 7 elements of an effective Compliance Program are…
4
So… what does the Compliance Department at Aultman actually do?
Demonstrates a good faith effort to comply with federal, state, and local regulations. Establishes procedures to prevent, detect, and correct non- compliance.
PROTECT our organization, workforce members, and customers. Preserve the level of INTEGRITY that Aultman is known for as a highly reliable organization. Promote the continued effort to DO THE RIGHT THING.
Provides a method for employees to report potential problems. Serves as a resource to resolve compliance issues. But wait! THERE’S MORE…
Aultman’s Compliance Department strives to…
5
Follow Aultman’s Code of Conduct. Carry out your job duties with INTEGRITY and HONESTY. Know the laws and regulations that apply to your job. Exercise good judgment and do the right thing when performing your job. Report suspected compliance concerns or problems to the Compliance Department.
Fraud, Waste, and Abuse (FWA)
Fraud, Waste, and Abuse can occur in many different formats. For example... Billing for services not furnished or that are medically unnecessary could be considered FWA.
An estimated 10% of Medicare costs are wrongly spent on fraud, waste, and abuse. The government is devoting substantial resources to prevent and detect FWA.
If you have a concern or question about how things are being done, it is important that you report your concern.
Additional information regarding FWA, and the False Claims Act, can be found in the Aultman Employee Handbook or CMS’s Fraud & Abuse: Prevention, Detection, and Reporting Fact Sheet.
6
How do I report a Compliance Concern?
Discuss concerns with your manager or another member of the management team. Contact the Compliance Department at (330) 363-3380 or
Report anonymously by calling the Aultman Compliance Line at 1 (866) 907-6901 or online at https://www.aultman.org/complianceline.
Employees reporting in good faith will not be subject to retaliation.
I have a concern… 7
HIPAA is a federal law which:
Regulates and sets standards for protecting patient privacy and confidentiality of Protected Health Information (PHI). Describes how we may use and disclose health information. Expands patient’s rights regarding their health information. Includes penalties for privacy violations.
8
Any and all health information that could identify a particular person.
Protected Health Information (PHI) :
Name & address, age, date of birth, social security number, clinical information, test results, diagnosis, photos, employer.
Breach:
May require notification of patient and government.
PHI can be shared without patient authorization for:
When someone obtains, views, or discloses PHI inappropriately. Treatment – anyone who has a treatment relationship with the patient. Payment – for billing and collection activities. Healthcare Operations – business activities, including quality improvement and teaching. Report any potential breaches to the Compliance Department.
9
Why is Patient Privacy Important?
Patients place TRUST in us to protect their most private information.
If patients don’t trust us with their private information… They may be reluctant to disclose important information that is vital to their care. Our community reputation could be damaged. Not only do we have a legal duty to protect patient health information, we have an ETHICAL and MORAL
They may go elsewhere to receive treatment.
10
What can I tell my patient’s friends and family?
Obtain patient approval before sharing PHI.
Oral or written approval is acceptable. Document it in the medical record. Use the Privacy Communication tab in Cerner or paper form. Patient may change his/her mind at any time.
Use professional judgment when patient is unconscious
Utilize the Minimum Necessary Standard. Family & friends should be actively involved in care in order to receive PHI.
When in doubt, do not disclose information!
Remember, you can consult your manager
11
Mobile devices such as laptops, tablets, smartphones, and USB flash drives that contain confidential Aultman information must be password protected and encrypted, when possible. Texting of patient information should only be performed with Aultman approved applications that are secure and encrypted.
The Joint Commission prohibits the texting of patient care orders.
12
HIPAA rules require that all our electronic systems have the capability to produce an audit trail. This allows us to: Investigate any patient complaint regarding HIPAA. Run specialized reports that can show, for example, if a user accessed a co-worker’s medical record.
13
See who has accessed patient records and when. Conduct random audits of employee access.
Did you know?
Snooping into electronic medical records is the most common type of HIPAA violation at Aultman. Aultman policies DO NOT PERMIT workforce members to look up their own medical information, or that of family, friends, co-workers, or patients of interest.
This applies to all forms of medical information
14
They’re my records… why can’t I have access?
When receiving health care services, employees are like any other patient. As a patient, an employee may obtain a copy of their health care information (or the records of family members) by completing the release of information process in the Medical Records Department. A signed Authorization Form does not permit workforce members to directly access anyone’s information via Aultman’s various electronic systems. Aultman’s Patient Portal is also available and allows patients direct access to their health information. If you still need to sign-up for the Patient Portal, please contact the Registration Department.
15
The reason for these restrictions is the HIPAA Minimum Necessary Standard, also known as “the need to know rule.”
Under this HIPAA standard, you are
you need to do your job and disclose
job. Looking up your own information or the information of a family member does NOT meet this standard! The HIPAA rules require health care organizations to have consistent disciplinary actions in place for employees who violate HIPAA. At Aultman, disciplinary actions for HIPAA violations have ranged from suspensions to terminations.
Aultman’s disciplinary process is outlined in the Employee Handbook.
16
17
Social media websites are a great tool for sharing all kinds of information,
BUT NEVER
for sharing any kind of patient information, even in general terms! Remember that any information and images you post online could remain there forever and might be redistributed, shared, commented upon, and accessed by anyone, including your family, friends, or employers (even many years later).
THINK…. before you post!
18
Computer & Email Security
Log off or lock your computer when leaving your workstation.
To lock your screen press:
All emails sent to another Aultman email are secure. Emails sent externally that contain Protected Health Information MUST be encrypted. Type [SECURE] anywhere in the subject line to encrypt an email.
User IDs and Passwords
Everyone must have a unique user ID and password and they are responsible for all activity that occurs under that combination. Mandatory password changes are required a minimum of every 90 days. Passwords should be strong to increase security.
[Secure]
19
Phishing attacks are typically carried out through the use of emails that appear to be sent from a legitimate source. Recipients of these emails are directed to click on links that send them to websites designed to obtain sensitive information or install malicious software onto their device.
20
How to spot a phishing email
Spelling and bad grammar If you notice mistakes in an email, it may be malicious. The hyperlinked URL is different Hover your mouse over the address in the “from” field to see if the website domain matches that of the site the email should have
Call to action Often they will trick you into clicking on a link to reactivate your account or to remove a hold. Don’t click on the link, but instead log onto your account in question directly through their website. You Won!! A common scam is to send an email that says you won a prize for a contest you never entered. Requesting personal information Reputable organizations will not ask for personal information in an email. Make a donation Unfortunately, phishing emails might ask for a donation to a legitimate cause, such as the American Red Cross. To be safe, contact organizations directly to make donations.
21
A type of malicious software designed to block access to a computer system until a sum of money is paid.
Installed through email attachments, infected downloads, or visiting malicious websites or links. Only open attachments, install downloads, or visit websites from known and trusted sources.
HEALTHCARE
22
If you feel you have fallen victim to ransomware or a phishing scheme, please contact our IT Security Department IMMEDIATELY at:
EPHIsecurity@aultman.com Help.Desk@aultman.com
23
There are resources available to learn more about the HIPAA Privacy and Security Regulations
This is a document we are required to give all patients. It summarizes our policies and procedures in regards to the requirements of HIPAA. This is our internal system that contains all of Aultman’s HIPAA Privacy and Security policies and procedures. Can be accessed through the employee portal under “Resources” then “Policies & Procedures”.
24
Notice of Privacy Practices (NPP) PolicyTech
Issues we’ve seen at Aultman
Random audit revealed an employee accessed their co-worker’s records. A group of employees posed for a picture while at work that was posted to social media. Patient PHI was visible on the computer behind them. Employees were receiving harassing phone calls from a patient’s family demanding protected information. Guidance was provided to the staff. A patient was sent home with another patient’s discharge instructions or clinical summary. Lab report was faxed to the wrong physician office. A family member found a nurse’s report paper with patient PHI on the ground in the hallway.
25
A department requested guidance on proper storage of PHI in their offices.
Kelly Martinelli Aultman Medical Group Compliance Officer
kelly.martinelli@aultman.com Valerie Waldorff Aultman Orrville Hospital Compliance Liaison
valerie.waldorff@aultman.com Karen Wulff Integrated Health Collaborative Compliance & Privacy Officer
karen.wulff@aultman.com
Direct questions regarding Systems and Technology Security to: Barbara McGill – HIPAA IT Security Officer/Analyst
Tim Regula
Chief Compliance and Privacy Officer
(330) 363-7448 tim.regula@aultman.com
Compliance Department
26
EPHIsecurity@aultman.com submit a Help Desk Ticket via the Employee Portal.
HIPAA regulations require Aultman to provide on-going compliance education for all employees and other members of the Aultman workforce. We have created a post-test to demonstrate your understanding of the information provided in this education. Every employee must complete the post-test and answer 80% of the questions correctly. Please proceed to the post-test now.
27
Tana Rodgers BSN, RN 2017