FCSRMC HIPAA PRIVACY & SECURITY PRESENTATION BDO US A, LLP, a - - PowerPoint PPT Presentation

fcsrmc hipaa privacy amp security presentation
SMART_READER_LITE
LIVE PREVIEW

FCSRMC HIPAA PRIVACY & SECURITY PRESENTATION BDO US A, LLP, a - - PowerPoint PPT Presentation

Mar 28, 2024 569 likes •910 views

FCSRMC HIPAA PRIVACY & SECURITY PRESENTATION BDO US A, LLP, a Delaware limit ed liabilit y part nership, is t he U.S . member of BDO Int ernat ional Limit ed, a UK company limit ed by guarant ee, and forms part of t he int ernat ional

slide-1
SLIDE 1

FCSRMC – HIPAA PRIVACY & SECURITY PRESENTATION

BDO US A, LLP, a Delaware limit ed liabilit y part nership, is t he U.S . member of BDO Int ernat ional Limit ed, a UK company limit ed by guarant ee, and forms part of t he int ernat ional BDO net work of independent member firms. BDO is t he brand name fo

P

ra thg e

e

B

1

D O net work and for each of t he BDO Member Firms.

slide-2
SLIDE 2

What is HIPAA?

HIPAA stands for: Health Insurance Portability and Accountability Act (HIPAA)

August 1996: Federal law enacted April 2001: Privacy Rule April 2005 S ecurity Rule February 2010: HITECH Act March 2013: HIP AA Omnibus (Final) Rule

Page 2

slide-3
SLIDE 3

HIPAA Privacy Rule

HIPAA’s Privacy Rule:

Addresses the use and disclosure of an individual’s

health informat ion regardless of how it is communicat ed (electronically, verbally, or writt en).

Establishes standards for an individual to underst and

and control how their health informat ion is used.

Assures that health informat ion is properly protected

while allowing the flow of health informat ion needed to provide and promot e high quality health care and to protect the public‘ s health and well being.

Page 3

slide-4
SLIDE 4

Covered Entity (CE)

A Covered Entity includes a health plan or payor, a healthcare clearinghouse, and all healthcare providers who transmit any healthcare information in electronic form (including telephones, fax machines and computers). Examples:

  • Physician Practices
  • Dentists
  • Hospitals
  • Diagnostic S

ervices (lab, radiology)

  • Nursing Homes
  • Pharmacies
  • Home Health Agencies
  • Health Plans

Page 4

slide-5
SLIDE 5

Covered Entity (CE)

FCS RMC is considered a Covered Entity (Group Health Plan) and it’s member colleges act as the plan sponsor. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERIS A. This may include:

 hospital and medical benefit plans  dental plans  vision plans  health flexible spending accounts  employee assistance plans

Page 5

slide-6
SLIDE 6

Business Associate

A Business Associate is a person or ent it y t hat performs certain funct ions or act ivities t hat involve t he use or disclosure of Prot ect ed Healt h Information (PHI) on behalf of, or provides services t o, a Covered Ent it y. Examples include vendors, cont ract ors and subcontract ors such as:

  • Billing Company
  • At t orney
  • Transcription S

ervice

  • Accountant
  • Pract ice Management S

ystem

  • Consult ant
  • Document S

torage Company

  • EMR/ EHR S

yst em

  • Collect ion Agency
  • I.T

. Vendor Business Associat es are accountable for prot ect ing t he privacy/ security

  • f PHI and are direct ly liable for criminal and civil penalt ies for

violations.

Page 6

slide-7
SLIDE 7

Protected Health Information (PHI)

Protected Health Information (PHI) is: *individually identifiable healt h informat ion t hat has been t ransmitted or maintained in any medium (paper, verbal, elect ronic). *creat ed or received by t he organization, relat es t o t he healt h of an individual or payment for healt h services, and identifies t he individual.

  • Employee Name
  • Complete Address
  • All Elements of Dates
  • Telephone Numbers
  • Fax Numbers
  • E-Mail Address
  • S
  • cial S

ecurity Number

  • Medical Record Number
  • Certificate/ License Number
  • Vehicle Identifiers (License Plate Number)
  • IPAddress
  • Biometric Identifiers (voice and fingerprint)
  • Full Face Photographic Images
  • Any Other Unique Identifying Number/ Code
  • Health Plan Beneficiary Number
  • Account Numbers

Page 7

slide-8
SLIDE 8

De-Identified Health Information

De-identified healt h informat ion refers t o informat ion t hat cannot be used t o identify an individual. Examples include informat ion t hat has been redacted from documents cont aining healt h informat ion, or report s t hat do not identify a specific individual. Uses:

  • Research (market analysis)
  • Financial Report s
  • S

t at ist ical Report s

  • Demographic S

t udies

  • Report s for Public Healt h Purposes
  • Qualit y Improvement Act ivities
  • Healt h Care Operations

Page 8

slide-9
SLIDE 9

Notice of Privacy Practices

The Covered Entity must provide a Notice of Privacy Practices to each individual. It is brief, written in plain language, and includes:

 a description of the types of uses and disclosures that the Covered Entity is permitted

to make for treatment, payment and healthcare operations.

 a description of other purposes for which the Covered Entity is permitted or required

to disclose PHI without the individual’s written authorization.

 a description of the types of uses and disclosures that require an authorization.  a statement outlining the Covered Entity’s duties to maintain the privacy of PHI.  a statement that individuals may complain to the covered entity if they believe their

privacy rights have been violated.

The Privacy Notice is provided by the Group’s Health Plan TPA (Florida Blue) to the Group Health Plan participants (FCSRMC).

Page 9

slide-10
SLIDE 10

Notice of Privacy Practices

FCS CSRM RMC C and d it’s t’s mem ember er c colle lleges es have a e adop

  • pted a

ed a HIPAA A Pri rivacy acy Polic

  • licy

y Stateme ment nt. . The The Priv ivacy P y Polic

  • licy

y shou

  • uld b

ld be e revie iewed ed with th new ew staff a at t the t e tim ime of n

  • f new

w hire re or

  • rien

ientation. . Emplo ployees ees s shou

  • uld

ld sig ign n th the e acknowledg ledgem emen ent fo form i indic dicating t they h y have r e receiv eived ed and h d have h e had d an n oppor

  • pportunit

ity y to

  • rea

ead t the e HIP IPAA A Pri rivacy acy Polic

  • licy.

.

Page 10

slide-11
SLIDE 11

Consent and Authorization

Covered Ent ities cannot share PHI wit hout t he individual's awareness of t heir privacy right s. To use and disclose PHI for purposes ot her t han t reat ment, payment and healt h operat ion purposes, Covered Ent ities must obt ain a st andard consent or aut horization wit h a few exceptions. Consent can be revoked by an employee/ individual (pat ient) in writ ing. It is t he policy of FCS RMC and it ’s member colleges t hat individuals have a right t o request t hat no disclosure be made of PHI. FCS RMC or it ’s member colleges is not obligat ed t o grant t he request.

Page 11

slide-12
SLIDE 12

When Consent and Authorization is NOT Required

Permitted PHI disclosures without an authorization:

Treatment - Disclosures between Covered Entities (such as other healthcare providers) involved in the patient care, information to/ from pharmacy or diagnostic center Payment – Disclosure regarding balance to patient, all information needed by the health plan, information to collection agencies Health Operations – Fraud/ abuse detection, compliance programs, government inspections, training new employees, competency assessments, business management activities, quality improvement activities

  • Public health activities
  • Victims of abuse, neglect or domestic violence
  • Law enforcement purposes
  • To comply with Workers’ Compensation
  • To avoid serious threat to health or safety

Page 12

slide-13
SLIDE 13

When Consent and Authorization IS Required

An authorization is required for:

  • Use and disclose PHI for purposes other than treatment, payment and health
  • peration purposes
  • Releasing psychotherapy notes
  • Marketing, research, sale of PHI, and fundraising
  • Releasing PHI to the patient’s employer

An authorization must include:

 Description of the information to be disclosed  Names of persons to whom the information is

t o be given

 Purpose of t he disclosure  An expiration date for the use of the

information

Page 13

slide-14
SLIDE 14

Right t to

  • Res

estric ict t Di Discl closures s Right o

  • f

f Acce ccess s Right t to

  • Amend

ndment nt Right t to

  • Acco

ccount nting g Di Discl closures s

Request s for t he above should be direct ed t o, and processed by, t he Group’s Healt h Plan TP A.

Individual’s Rights

Page 14

slide-15
SLIDE 15

Individual’s Rights

S taff can file a written complaint if they believe their privacy has been violat ed. Complaint s should be directed to the college’s privacy contact, and any intimidating or retaliatory acts are prohibited. It is import ant for staff to know that their PHI is safeguarded to protect PHI from any intentional or unintent ional use or disclosure that is in violat ion of the HIP AA Privacy Rule.

Page 15

slide-16
SLIDE 16

“Minimum Necessary”

“Minimum Necessary” is limiting the amount of PHI that is used (within the facility) or disclosed (outside of the facility) to the least amount of information possible to accomplish the intended purpose.

  • Y
  • ur facility should evaluate who should be accessing PHI

(documented in j ob descriptions).

  • Only staff who need access to PHI to perform their j ob duties

should be granted access to these areas (a unique sign-on and password, access to paper files, etc.). Minimum Necessary does not apply to requests/ disclosures to the staff or another healthcare provider for treatment purposes.

Page 16

slide-17
SLIDE 17

Medical Information – Personnel Records

In accordance with S ection 112.0455, Florida S tatutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law. The Americans with Disabilities Act (ADA) and HIP AA require that all medical documents be filed separately from personnel records. Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIP AA regulations. Medical paperwork that should be filed separately includes the following:

  • Reports from pre-employment physicals
  • Drug and alcohol testing results
  • Workers' compensation paperwork
  • Medical leave of absence forms
  • Disability paperwork
  • Insurance applications that reveal pre-existing conditions
  • Anything that identifies a medical issue

Page 17

slide-18
SLIDE 18

HIPAA Privacy Vs. Security Rules

Privacy Rule Security Rule

Sets standards for who needs access to PHI Applies to all forms

  • f PHI (electronic,

written, oral) Ensures access is

  • nly given to those

who need it to perform their job Only applies to electronic forms of PHI

Page 18

slide-19
SLIDE 19

HIPAA Security Rule

Security encompasses the measures organizations must take to protect information within their possession from internal and external threats.

Page 19

slide-20
SLIDE 20

Administrative Safeguards

  • Establish HIP

AA policies/ procedures

  • Provide security awareness and reminders to staff
  • Perform a risk analysis to determine where you might be vulnerable to a

breach

  • Have a Disaster Recovery Plan in case of emergency
  • Implement sanctions and terminations for staff who breach PHI
  • Management passwords, including disabling access upon termination
  • Appoint a Privacy/ Compliance Officer and S

ecurity Official

  • Implement Business Associate Agreements for all vendors who access PHI

Page 20

slide-21
SLIDE 21

Physical Safeguards

  • Design a contingency operations plan when data is temporarily

unavailable

  • Implement a security plan for facility (door locks, electronic

access controls, video monitoring)

  • Install password protection on monitors
  • Ensure monitors are not facing public areas
  • Password protect thumb drives and documents containing PHI

(Word, Excel, etc.)

  • Properly dispose of devices (hard drives, copiers, fax machines,

scanners)

Page 21

slide-22
SLIDE 22

Technical Safeguards

  • Only use certified software systems
  • Use data encryption/ decryption on all devices (laptops, cell phones)
  • Install firewalls and antivirus software
  • Assign unique sign-on and passwords to software containing PHI
  • Utilize integrity controls to ensure PHI has not been tampered with or

destroyed

  • Implement automatic log-off after system has been idle
  • Back up data daily
  • Continually monitor and audit system to ensure the system has not been

hacked or compromised

Page 22

slide-23
SLIDE 23

Staff Training

Employers are required to provide privacy and security training to staff and to provide periodic security reminders. S ecurity reminders may include:

 How to maintain security, including the need for strong

passwords

 S

pecific threats to PHI that have been identified such as viruses

 PHI access restrictions  Changes in policies/ procedures concerning HIP

AA regulations

 Procedures to follow for modifying access to PHI  How to report security breaches and to whom

Page 23

slide-24
SLIDE 24

Breach of PHI

A breach is:

Any unauthorized access, use or disclosure of unsecured PHI which compromises t he security or privacy of PHI, unless t here is a low probability that t he PHI has been compromised.

From January – June 2017, there was 2,000 HITECH Breaches:

175 million people affected

127.6 million - network server 6.6 million - desktop 5.6 million laptop – 2.1 million – unsecured email

Page 24

S

  • urce: HIP

AAOne - www.hipaaone.com/ 2017-hipaa

slide-25
SLIDE 25

Mitigating Risk

 Data protection

  • Use workstations properly - don’t leave information open and unattended
  • Don’t share passwords or post where others can see it
  • Don’t discuss confidential information with unauthorized individuals
  • Lock computer, desk and file cabinets
  • Use shredder/recycle bin when destroying information

 Access controls –

  • nly give authorized staff access to software/files containing PHI

 Report potential threats to the Privacy Contact at your facility  Encrypt emails containing PHI  Obtain BAA from vendors when accessing/obtaining PHI  Password protect mobile devices if accessing company emails on device  Prevent malware infection on your computer by not downloading and installing

anything you do not understand or trust, no matter how tempting

 Provide training at time of hire and annually thereafter

Page 25

slide-26
SLIDE 26

Sanctions Policy

 All workforce members must prot ect t he confident iality, int egrit y,

and availabilit y of sensit ive information at all t imes.

 FCS

RMC will take appropriate disciplinary act ion against employees, contractors, or any individuals who violat e t he information securit y and privacy policies or state, or federal confident iality laws or regulat ions, including t he Health Insurance Portabilit y and Accountability Act of 1996 (HIP AA).

 FCS

RMC will impose sanctions on any individual who accesses, uses,

  • r discloses sensit ive information without proper authorization.

S anct ions may include:

  • policy changes
  • personnel changes
  • transfer to another department
  • retraining
  • written reprimands
  • suspension
  • termination

Page 26

slide-27
SLIDE 27

Document Retention

Maintain the following documentation for six years, unless a longer period applies:

  • All policies and procedures
  • Business Associate Agreements
  • S

igned Acknowledgement of Privacy Policies

  • Authorization forms
  • Notices and amended notices
  • Training of employees
  • Patient/ employee complaints and their disposition (this must be documented on the

complaint form and forwarded to FCS RMC)

Page 27

slide-28
SLIDE 28

Key Points

Provide initial training at hire and annually

  • thereafter. Use the group attendance log as

documentation. Maintain a separate employee health file. Keep all protected information in a limited access area and under lock and key.

Page 28

slide-29
SLIDE 29
  • 1. Who is not a Covered Entity?
  • a. S

upermarket

  • b. Physician

c. Health Plan

  • 2. Who must comply with HIP

AA privacy and security rules?

  • a. Only physicians and hospitals
  • b. Patients

c. All Covered Entities and Business Associates

  • 3. Who should have access to PHI?
  • a. Everyone in the company
  • b. Everyone in the department

c. Only those who need access to perform their j ob duties

  • 4. It is OK to share your user name and password with someone you know as long

as they do not share it with anyone else.

  • a. True
  • b. False

Page 29

slide-30
SLIDE 30
  • 5. PHI can be used to make employment related decisions.
  • a. True
  • b. False
  • 6. When is an authorization required to release PHI?
  • a. Disclosures not related to treatment, payment or healthcare operations
  • b. When someone requires assistance with insurance claims/ benefits

c. Both a and b

  • 7. How long is the document retention policy under HIP

AA?

  • a. 10 years
  • b. 6 years

c. Indefinitely

  • 8. Ways to mitigate risk to PHI is:
  • a. S

ecure your workstation and other areas containing PHI

  • b. Don’ t report a breach if you suspect it has occurred

c. Avoid the HIP AA training sessions

Page 30

slide-31
SLIDE 31

Questions?

Carol Crews, CMPE, CPMA, OHCC S

  • r. Manager, Healthcare Advisory

BDO Center for Healthcare Excellence & Innovation BDO US A (904) 224-9787 ccrews@ bdo.com

Page 31

slide-32
SLIDE 32

References

More detailed information can be found at the following resources: U.S . Department of Health and Human Resources. 45 CFR Parts 160 and 164. Federal Register www.hhs.gov/ ocr/ privacy/ hipaa/ administrative/ endor cementrule/ enfifr.pdf U.S . Department of Health and Human S ervices, Office for Civil Rights www.hhs.gov/ ocr/ privacy/ hipaa/ understanding/ covere dentities/ provider_ffg.pdf Centers for Medicare & Medicaid S ervices, Office of E- Health S tandards and S ervices. www.hhs.gov/ ocr/ privacy/ hipaa/ enforcement/ cmscompliancerev08.pdf U.S . Department of Health and Human S ervices. www.hhs.gov/ ocr/ privacy/ hipaa/ administrative/ securi tyrule

Page 32