Compliance & HIPAA 2017 Annual Education 1 The purpose of this - PowerPoint PPT Presentation

Compliance & HIPAA 2017 Annual Education 1

The purpose of this education is to The purpose of this education is to UPDATE and REFRESH understanding of: UPDATE and REFRESH your understanding of: Aultman’s Compliance Program. The HIPAA rules and PROTECTING OUR PATIENT’S confidential information. 2

Aultman’s Compliance Program The Aultman Compliance Program includes SEVEN CORE ELEMENTS as required by the government. The 7 elements of an effective Lines of communication for Compliance Program are… reporting compliance concerns. Written policies and procedures Disciplinary action for and standards of conduct. non-compliance. Routine auditing and A Compliance Officer that is monitoring to identify risks. accountable and responsible for the program. Procedures for responding promptly to non-compliance Effective education and training. and undertaking corrective action. 3

So… what does the Compliance Department at Aultman actually do? Demonstrates a good faith effort to Provides a method for employees comply with federal, state, and local to report potential problems. regulations. Establishes procedures to prevent, Serves as a resource to resolve detect, and correct non- compliance issues. compliance. Aultman’s Compliance Department strives to… But wait! THERE’S MORE… PROTECT our organization, workforce members, and customers. Preserve the level of INTEGRITY that Aultman is known for as a highly reliable organization. Promote the continued effort to DO THE RIGHT THING . 4

What is expected of me? Follow Aultman’s Code of Conduct. Carry out your job duties with INTEGRITY and HONESTY . Know the laws and regulations that apply to your job. Exercise good judgment and do the right thing when performing your job. Report suspected compliance concerns or problems to the Compliance Department. 5

Fraud, Waste, and Abuse (FWA) Fraud, Waste, and Abuse can occur in many different formats. For example... Billing for services not furnished or that are medically unnecessary could be considered FWA. An estimated 10% of Medicare costs are wrongly spent on fraud, waste, and abuse. The government is devoting If you have a substantial resources to prevent and concern or detect FWA. question about how things are being done, it is important that Additional information regarding FWA, and the False Claims Act, you report your can be found in the Aultman Employee Handbook or CMS’s Fraud concern. & Abuse: Prevention, Detection, and Reporting Fact Sheet. 6

How do I report a Compliance Concern? Discuss concerns with your manager or another member of the management team. Contact the Compliance Department at (330) 363-3380 or Ext. 33380 or compliance@aultman.com. Report anonymously by calling the Aultman Compliance Line at 1 (866) 907-6901 or online at https://www.aultman.org/complianceline. I have a concern… Employees reporting in good faith will not be subject to retaliation. 7

What is HIPAA? HIPAA is a federal law which: Regulates and sets standards for protecting patient privacy and confidentiality of Protected Health Information (PHI) . Describes how we may use and disclose health information. Expands patient’s rights regarding their health information. Includes penalties for privacy violations. 8

Breach : When someone obtains, views, or discloses PHI inappropriately. May require notification of patient and government. Report any potential breaches to the Compliance Department. Protected Health Information (PHI) : PHI can be shared without patient authorization for: Any and all health information that Treatment – anyone who has a could identify a particular person. treatment relationship with the patient. Name & address, age, date of Payment – for billing and collection birth, social security number, activities. clinical information, test results, Healthcare Operations – business diagnosis, photos, employer. activities, including quality improvement and teaching. 9

Why is Patient Privacy Important? Patients place TRUST in us to protect their most private information. If patients don’t trust us with their private information… They may be reluctant to disclose important information that is vital to their care. They may go elsewhere to receive treatment. Our community reputation could be damaged. Not only do we have a legal duty to protect patient health information, we have an ETHICAL and MORAL obligation, as well. 10

What can I tell my patient’s friends and family? Obtain patient approval before Use professional judgment sharing PHI. when patient is unconscious or incapacitated. Oral or written approval is acceptable. Utilize the Minimum Necessary Document it in the medical record. Standard. Use the Privacy Communication tab in Cerner or paper form. Family & friends should be actively involved in care in order to receive Patient may change his/her mind at PHI. any time. When in doubt, do not disclose information! Remember, you can consult your manager or Compliance for guidance. 11

Mobile Devices Mobile devices such as laptops, tablets, smartphones, and USB flash drives that contain confidential Aultman information must be password protected and encrypted, when possible. Texting of patient information should only be performed with Aultman approved applications that are secure and encrypted. The Joint Commission prohibits the texting of patient care orders. 12

Audits HIPAA rules require that all our electronic systems have the capability to produce an audit trail. This allows us to: See who has accessed patient records and when. Conduct random audits of employee access. Investigate any patient complaint regarding HIPAA. Run specialized reports that can show, for example, if a user accessed a co- worker’s medical record. 13

Sn ping Did you know? Snooping into electronic medical records is the most common type of HIPAA violation at Aultman. Aultman policies DO NOT PERMIT This applies to all workforce members to look up their own forms of medical medical information, or that of family, information friends, co-workers, or patients of interest. 14

They’re my records… why can’t I have access? When receiving health care services, employees are like any other patient. As a patient, an employee may obtain a copy of their health care information (or the records of family members) by completing the release of information process in the Medical Records Department. A signed Authorization Form does not permit workforce members to directly access anyone’s information via Aultman’s various electronic systems. Aultman’s Patient Portal is also available and allows patients direct access to their health information. If you still need to sign-up for the Patient Portal, please contact the Registration Department. 15

What’s the big deal? The reason for these restrictions is the HIPAA Minimum Necessary Standard , also known as “the need to know rule.” Looking up your own Under this HIPAA standard, you are information or the only permitted to access information information of a family you need to do your job and disclose member does NOT meet only information to others to do their this standard! job. The HIPAA rules require health care organizations to have consistent disciplinary actions in place for employees who violate HIPAA. At Aultman, disciplinary actions for HIPAA violations have ranged from suspensions to terminations. Aultman’s disciplinary process is outlined in the Employee Handbook. 16

Social Media 17

Social media websites are a great tool for sharing all kinds of information, BUT NEVER for sharing any kind of patient information, even in general terms! Remember that any information and images you post online could remain there forever and might be redistributed, shared, commented upon, and accessed by anyone, including your family, friends, or employers (even many years later). THINK…. before you post! 18

Computer & Email Security To lock your screen User IDs and Passwords Log off or lock your press: computer when leaving Everyone must have a unique user ID and your workstation. password and they are responsible for all activity that occurs Email under that combination. All emails sent to another Type [SECURE] Mandatory password Aultman email are secure. anywhere in the changes are required subject line to a minimum of every Emails sent externally that encrypt an email. 90 days. contain Protected Health Information Passwords should be MUST be strong to increase encrypted. security. [Secure] 19

Phishing Schemes Phishing attacks are typically carried out through the use of emails that appear to be sent from a legitimate source. Recipients of these emails are directed to click on links that send them to websites designed to obtain sensitive information or install malicious software onto their device. 20