HIPAA Field Training 2015

Transcription

1 HIPAA Field Training 2015

2 Topic 1 Time to complete Topic 1 Overview Approximately 15 minutes

3 Introduction/Objectives At the conclusion of this training module, you should have an understanding of the following: What constitutes Protected Health Information (PHI); The HIPAA Privacy and Security Rules and how each affects Employees in the workplace; Corizon Health s Privacy and Security Policies and Procedures and how these should be made available to all employees; The General Rules for the use and/or disclosure of PHI; The appropriate method for identifying and reporting Privacy and/or Security Violations and/or Incidents; 3

4 Introduction/Objectives (continued) At the conclusion of this training module, you should have an understanding of the following: Each Employee s responsibility in terms of Privacy and Security surrounding PHI in the workplace; and A patient s right surrounding his or her PHI and the role Employees have in exercising and/or preserving these rights Business Associates and the role and requirements surrounding each The HITECH Act and the Final Omnibus Rule (2013) Enforcement measures that are available in the absence of compliance 4

5 Top HIPAA Breaches in 2014 #1: Community Health System 4.5 million individuals affected Overseas hackers managed to bypass cybersecurity measures and obtained access to patient records, including names, addresses, dates of birth, telephone numbers and social security numbers. #2: Xerox State Healthcare, LLC 2 million individual affected Business associate to the Texas HHS Commission that failed to protect patient records and permitted other parties access to the protected information #3: Sutherland Healthcare Solutions, Inc. 342,197 individuals affected Eight laptops stolen from the office that were not appropriately encrypted. Computers held patient data, including names, addresses and billing information 5

6 HIPAA Terms 6

7 HIPAA Terms Breach The acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information

8 HIPAA Term: Business Associate A person or entity, other than an Employee or other member of the workforce of the Company, which performs, or assists in the performance of, a function or activity on behalf of Corizon Health or a Corizon Health Business Associate involving the use and/or disclosure of individually identifiable health information. Such functions or activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and repricing. Business associates also include any providers of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to Corizon Health or a Business Associate thereof, where the provision of such services involves the disclosure or use of individually identifiable health information. 8

9 HIPAA Terms Business Associate Agreement Agreement between the Company and a Business Associate, pursuant to which the Business Associate agrees to provide certain protections of PHI received by or created on behalf of the Company. Corizon Health Corizon Health, Inc., Corizon, LLC, and their affiliated entities. Designated Record Set Please refer to your Corizon Health Privacy Policies for specific information on the Designated Record Set. 9

10 HIPAA Terms Disclosure Log Record maintained by Corizon Health of all disclosures of PHI as required to be maintained pursuant to Privacy and Security Policies and Procedures. Employee Any person whose conduct, in the performance of work for Corizon Health, is under the direct control of Corizon Health, whether or not such person is paid by Corizon Health and whose duties bring such person in contact with PHI. For the purpose of these Privacy and Security Policies and Procedures, the term Employee includes, but is not limited to, customer service representatives, any administrative personnel, and any personnel under Corizon Health s control who deliver health care services or items to inmates in correctional institutions. 10

11 HIPAA Terms Final Omnibus Rule The final rule announced by U.S. Dept. of Health and Human Services which implements a number of provisions of the HITECH ACT, effective March 26, 2013 with a compliance date of September 26,

12 HIPAA Terms Health Care Operations Administrative and managerial activities of Corizon Health including quality assessment and improvement activities, legal compliance activities, business planning and development activities, and other business management and general administrative activities. Health Oversight Activity Activities by a Health Oversight Agency for the purpose of oversight of the healthcare system (whether public or private, or government programs) in which health information is necessary to determine eligibility or compliance, or to enforce civil rights for which health information is relevant. 12

13 HIPAA Terms Health Oversight Agency An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority or contract with such public agency, that is authorized by law to conduct Health Oversight Activities. HIPAA The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, is a federal law which created a national standard for the privacy and security of protected health information ( PHI ). 13

14 HIPAA Terms HITECH Act Health Information Technology for Economic and Clinical Health Act Individually Identified Health Information Health information which relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 14

15 HIPAA Terms Patients and Personal Reps The term patient may also include the patient's legally designated "personal representative". A personal representative is any of the following [see 45 C.F.R (g)]: A conservator of the person of an incompetent patient; an agent appointed under a power of attorney for health care, if the patient is incompetent; any other person who can make health care decisions on behalf of an incompetent patient; A personal representative (i.e., the executor or administrator) of the estate of a deceased patient or any heir or beneficiary of a deceased patient; parents of minor children; or emancipated minors. 15

16 HIPAA Terms Professional Corporation (PC) A corporate entity established and solely owned by physician shareholders. 16

17 HIPAA Terms Protected Health Information (PHI) Health information which relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes not only medical records, but all other forms or documents that contain individually identifiable information, including but not limited health service request forms, medication administration records, sick call requests, daily clinic logs, etc.

18 HIPAA Terms Privacy Officer The person who is responsible for the development and implementation of these Privacy and Security Policies and Procedures, and overseeing the Company s compliance with the requirements of the Privacy Rules. Privacy Rules Regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) at Title 45, parts 160, 162 and 164 of the Code of Federal Regulations, pertaining to the privacy of health information. 18

19 HIPAA Terms Privacy and Security Policies and Procedures The policies and procedures contained herein, which have been adopted by the Company as part of its efforts to comply with the Privacy and Security Rules. Public Health Activity The activities of a public health authority for the purpose of preventing or controlling disease, injury or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. 19

20 HIPAA Terms Security Officer The person who is responsible for the development and implementation of Security Policies and Procedures, and overseeing the Company s compliance with the requirements of the Security Rule. 20

21 HIPAA Terms Unsecured PHI Protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary

22 Who are the Corizon Health Super Users? Who are the Super Users for our companies? All HSAs/Program Managers/DONs/AAs Regional Office Designees Professional Corporation (PC) Shareholders Who will the Super Users be training? All Site Level Employees PC Employees 22

23 Who are the Corizon Health Super Users? What is the Super User role? HIPAA Training Facilitator Initial contact person at the site level for HIPAA related issues Note: In the event that you have a question concerning this training module or HIPAA, please contact your site Super User or the Privacy Officer. 23

24 Why is training important? There are many reasons why training is important. Training Training enables Employees to develop the knowledge and skills set necessary to perform the essential functions of their job in compliance with the law. Advantage Effective training affords Corizon Health a competitive advantage in the correctional healthcare market. 24

25 Why is training important? Career Training advances an Employee s career and sense of feeling valued by Corizon Health. OJT On the job training is an investment in Corizon Health s future as Employees will share this knowledge with other Employees (current and new hires) in performing the essential functions of their job. 25

26 Training Compliance To begin, you will need to complete this course by completing all of the Topics. After you review the 5 topics, you may take the quiz. We ve estimated your total time to complete this course, including the Quiz, is about 70 minutes. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 26

27 Training Compliance At the end of this training, you will need to take a short quiz and answer all ten (10) questions correctly. In the event you do not answer all ten (10) questions correctly, you are required to retake the quiz. The Super User at each site shall ensure that each Employee takes the Quiz until he/she attains a score of 100%. 27

28 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, is a federal law which created a national standard for the privacy and security of Protected Health Information ( PHI ). In learning about HIPAA, it is important to recognize that this legislation was enacted with two broad interests in mind: Privacy Security 28

29 What is HIPAA? In this course, we will first learn about the privacy component of HIPAA more precisely referred to as the HIPAA Privacy Rule. Generally speaking, the HIPAA Privacy Rule was enacted to encompass the following items: Individual rights; Instructions on how to exercise those individual rights; and Uses and/or disclosures of PHI which must be authorized by the individual (patient) or are required by law. 29

30 What is HIPAA? After we conclude our discussion of the Privacy Rule, we will redirect our attention to the Security Rule which mandates the administrative, physical, and technical safeguards necessary to protect the confidentiality, integrity, and availability of electronic PHI ( ephi ). 30

31 What is Protected Health Information? HIPAA s Privacy and Security Rules only apply to PHI, which is commonly referred to as PHI. Therefore, in order for Employees to understand the important aspects of HIPAA, it is critical to know what PHI is. PHI is defined as individually identified health information that is transmitted or maintained in electronic, written, oral, and/or any other recorded form or medium. 31

32 What is Protected Health Information? Individually identifiable health information is: Information that identifies an individual; Information created or received by Corizon Health; and Information that relates to the past, present or future physical or mental health condition of the individual. 32

33 What is PHI? Some common examples of PHI include: Patient medical records Prescriptions Billing information Patient insurance forms Patient charts PHI does NOT include: Employment records held by a Covered Entity in its role as an employer Educational records 33

34 How does HIPAA apply to Corizon? HIPAA only applies to Covered Entities, which include health plans, health care clearinghouses and health care providers who use PHI in connection with certain electronic transactions (such as payments or claims attachments). 34

35 How does HIPAA apply to Corizon? Under HIPAA, a health care provider is defined as an entity that furnishes medical services. Because Corizon Health provides medical services to inmates of correctional facilities across the United States, Corizon Health is considered a health care provider. As a health care provider, Corizon Health transmits electronic PHI for purposes of certain transactions which results in Corizon Health being classified as a Covered Entity for purposes of HIPAA. 35

36 Topic 1 Overview Conclusion Great job, Topic 1 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 36

37 Topic 2 Time to complete Topic 2 Privacy Rule Approximately 15 minutes

38 Objectives At the end of this Topic, the learner will have a good understanding of: The general rules for the use and disclosure of PHI; An individual s right to access his or her own PHI; How to adequately protect an individual s PHI from inappropriate use or disclosure; Documenting non-routine disclosures of PHI; and The reporting of any improper uses or disclosures of PHI to the appropriate personnel so that any harmful effects can be mitigated. 38

39 General Rules for the Use and Disclosure of PHI The HIPAA Privacy Rule generally requires Corizon Health to take reasonable steps to limit the use and disclosure of PHI to the minimum amount necessary to accomplish this purpose. The Employee shall make a reasonable effort to use and or disclose only the amount of PHI which is required to perform the essential job functions. It is important to remember that the Minimum Necessary Standard does not apply to all uses and disclosures of PHI. 39

40 Exceptions to the Minimum Necessary Standard The Minimum Necessary Standard DOES NOT apply to the following uses and disclosures of PHI: Uses and disclosures of PHI for treatment purposes (e.g. from one health care provider to another) Uses and disclosures of PHI to the individual who is the subject of the PHI Uses and disclosures of PHI pursuant to a valid HIPAA compliant written authorization Uses and disclosures of PHI that are required by law 40

41 Minimum Necessary Standard Example 1 A patient at the Jail has requested that a copy of his entire medical record be provided to his attorney. He has a presented a signed, validly executed authorization for release of his records. Does the Minimum Necessary Standard apply here? YES NO Correct Answer: No, the patient has signed an Authorization allowing his entire record to be sent to his Attorney. The Minimum Necessary Rule does not apply. The entire record must be provided to the patient s attorney. 41

42 Minimum Necessary Standard Example 2 Patient is being sent off-site to the hospital for a surgical procedure. The surgeon at the hospital calls to speak to the treating physician at the correctional facility about the Patient s care and upcoming procedure. Does the Minimum Necessary Standard apply here? YES NO Correct Answer: No, the Minimum Necessary Standard does NOT apply to uses and disclosures of PHI for the purpose of treatment. 42

43 Minimum Necessary Standard Example 3 Nurse Nancy makes a serious documentation error in a Patient s chart. Her supervisor works with the HR Department to determine whether corrective action is warranted. The HR Department requests a copy of the medical record as part of its investigation. Does the Minimum Necessary Standard apply here? YES NO Correct Answer: Yes, the Supervisor should only provide the relevant pages of the medical record to the HR department with the patient s name redacted. The HR Department does not need to know the patient s name or see the entire record in order to complete its investigation. 43

44 Minimum Necessary Standard Example 4 Several inmates at the correctional facility have been diagnosed with and are being treated for a communicable disease. The local health department is on-site at the correctional facility to investigate and help mitigate a possible outbreak. Should the Medical Staff apply the Minimum Necessary Standard when speaking with the Health Department? YES NO Correct Answer: No, this disclosure is required by law so the Minimum Necessary Standard would NOT apply. The Health Department will need all information related to the patients with the communicable disease in order to adequately and effectively treat and prevent the spread of the disease. 44

45 When is a Written Authorization Required? The HIPAA Privacy Rule requires Employees to obtain a HIPAA compliant written patient authorization prior to using and/or disclosing PHI for certain purposes. Some examples of uses and/or disclosures of PHI that require a HIPAA compliant patient authorization are: Disclosure of PHI to the patient s family or friends in cases where the friend or family member is NOT the patient s personal representative Disclosure of PHI to the media Disclosure of PHI to the patient s attorney. Employees can obtain Corizon s standard HIPAA compliant patient authorization online at or from the Super User at your respective site. 45

46 When a Written Authorization is NOT Required Employees are NOT required to obtain a HIPAA compliant written authorization prior to using and/or disclosing PHI in the following circumstances: Uses or disclosures of PHI for treatment purposes (providing healthcare services or items) Uses or disclosures of PHI for payment purposes (submitting and receiving claims, making and receiving payment for services) Uses or disclosures of PHI for health care operational purposes (quality improvement activities, credentialing, utilization review, training programs, accreditation activities, insurance rating) 46

47 When a Written Authorization is NOT Required (Continued) Uses or disclosures of PHI to a correctional facility or officer to assist the facility in providing the patient with health care, protecting the health or safety of the patient or others, or for the safety or security of the correctional facility Uses or disclosures of PHI to avert serious threat to health or safety (threat to the patient, public, or other individuals) Uses or disclosures of PHI for law enforcement purposes (information related to the commission of a crime on the premises or against health care personnel) 47

48 When a Written Authorization is NOT Required (Continued) Uses or disclosures of PHI to a Corizon Health Business Associate that has signed a Business Associate Agreement Uses or disclosures of PHI for public health activities as required by law for the purpose of preventing or controlling disease, injury or disability Uses or disclosures of PHI for judicial, legal, or administrative proceedings (e.g. Court orders and subpoenas) KEY ELEMENT OF INSTRUCTION: It is important that Employees understand that Corizon Health is the custodian of the PHI in its possession and the Client is the owner. For this reason, Employees must not impede the Client s ability to access its own PHI so long as such use and disclosure complies with the correctional facilities/officer exception listed above. 48

49 What is required of a Business Associate? The HIPAA Privacy Rule requires Covered Entities such as Corizon Health to enter into a Business Associate Agreement ( BAA ) with any third party individual or entity that is determined to be a Business Associate of the Company ( BA ). Upon entering into a BAA with Corizon Health, a BA is then obligated to comply with certain requirements under the Privacy and Security Rules, including agreeing to the use and/or disclosure of PHI only as permitted under the BAA and to maintain the appropriate security safeguards so as to prevent the unauthorized access, use, and/or disclosure of PHI. 49

50 Business Associate Contracting Process It is important to remember that Corizon Health may not share PHI (the use and/or disclosure) with a BA until a BAA has been executed between the parties. If you wish to engage a BA, you need to contact the Privacy Officer and they will assist you with the process of drafting and executing the agreement. Corizon Health is required to maintain copies of any fully executed BAAs in the event they are requested by the government. Therefore, it is imperative that the Privacy Officer be involved in the contracting process.

51 Subcontractors Upon the enactment of the Final Omnibus Rule in 2013, all subcontractors of Corizon Health's Business Associates are required to comply with the Privacy & Security Rules. This significant legislative change will require Corizon Health to carefully monitor the subcontractors utilized by its business associates for the purpose of ensuring 100% compliance. 51

52 Who is a Business Associate? The appropriate way to determine whether or not a third party individual or entity is a Corizon Health BA is in looking at the activities and/or functions they perform on the Company s behalf. Typical activities or functions performed by a BA for or on behalf of a Covered Entity such as Corizon Health include those listed below, provided the activity or function involves the use and/or disclosure of PHI: Typical Activities / Functions Performed by a Business Associate Claims Processing Data Analysis Utilization Management Quality Assurance Benefit Management Third Party Admin Activities Practice Management Services Legal Accounting / Actuarial Consulting Management Administrative 52

53 Who is a Business Associate? (Continued) To the contrary, if a third party individual or entity performs one or more of the foregoing activities and/or functions on behalf of Corizon Health but, DOES NOT access or use PHI in doing so, no business associate agreement is required. Additionally, if a third party individual or entity is a healthcare provider AND only receives and/or uses PHI in treating a common patient (an individual that is also a patient of Corizon Health), no business associate agreement is required. In the event you have any questions with regard to Business Associates, please contact the Privacy Officer and/or a member of the Corizon Health Legal Department. 53

54 Documenting Non-Routine Disclosures of PHI Under the Privacy Rule, Corizon Health is required to provide patients with an accounting of all Non-Routine Disclosures of PHI made for up to six (6) years prior to the date of the patient s request. Employees MUST document all Non-Routine disclosures of PHI in the PHI Non-Routine Disclosure Log. 54

55 Documenting Non-Routine Disclosures of PHI (Continued) Disclosure of PHI to a Health Oversight Agency (CMS, State DHS, SSA) Disclosures of PHI made pursuant to a Court or Administrative Agency Order Disclosures of PHI made pursuant to a subpoena Disclosures of PHI made pursuant to a request by a law enforcement agency Disclosures of PHI made to avoid a serious threat to health or safety Disclosures of PHI made to a public health agency (state or local public health authority) 55

56 Documenting Non-Routine Disclosures of PHI (Continued) When documenting Non-Routine Disclosures of PHI, Corizon Health must record the following information in the PHI Non-Routine Disclosure Log: Date of the disclosure Name and address of the person or organization who received the disclosure Brief description of the PHI disclosed Purpose for which the information was disclosed In the event an Employee has further questions about the documentation requirements for Non-Routine Disclosures of PHI, they should contact their site Super User or the Privacy Officer. 56

57 Patient s Right to Access PHI As a general rule, HIPAA gives patients certain rights regarding their PHI, including, but not limited to, the right to inspect or obtain a copy of their medical records. Additionally, specialized rules may apply if the patient is legally considered a minor. However, because inmates do not have the same rights as other patients under HIPAA, Corizon Health may deny an inmate s request to inspect or obtain a copy of his or her PHI if it would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates, or the safety of an Employee or the correctional staff of the facility. 57

58 What Rights Do Minors Have? HIPAA addresses issues surrounding parental rights relative to a minor (a person who has not reached the legal age of majority) under the regulations dealing with personal representatives. HIPAA defines a personal representative as a person authorized under applicable law to make health care decisions on another individual s behalf. It is important to know that HIPAA takes a deferential approach to patient rights when it comes to dealing with patients who have not reached the legal age of majority (minors). As a general rule, HIPAA gives minors the right to exercise control over their own PHI (including restrictions on access) IF, under state law, the minor in question obtained or could have obtained the medical treatment to which the PHI pertains, WITHOUT parental consent. As is the case with all legal rules, there is an EXCEPTION: If the state law allows or prevents the disclosure of a minor s PHI to a parent or guardian (personal representative), HIPAA defers to the state law. 58

59 What Rights Do Minors Have? (Continued) CAUTION: When dealing with minors and their rights with regard to PHI, you should consult the legal department as to what state law allows and/or requires. These situations should be addressed on a case by case basis as there are other legal scenarios where a minor is permitted to restrict access to his or her own PHI (e.g. in cases of abuse or neglect, where PHI involves substance abuse and/or mental health). 59

60 Corizon Health Privacy Officer Corizon Health has designated a HIPAA Privacy Officer whose responsibilities include ensuring HIPAA compliance among all Employees. The Corizon Health Privacy Officer is: Maya Patel Olive Boulevard, Suite 400 St. Louis, MO Telephone: privacy@corizonhealth.com 60

61 Safeguarding PHI Key Provisions Comprehensive Privacy and Security Policies and Procedures have been developed in order to safeguard PHI. The Corizon Health Privacy and Security Policies & Procedures are available for reference at and in paper form at the site level. Key provisions include the following: All current Employees and all new Employees will receive compliance training consistent with the Corizon Health Privacy and Security Policies and Procedures Only authorized Employees will have access to PHI Access to all PHI will be monitored 61

62 Safeguarding PHI Key Provisions (Continued) Before disclosing PHI for any purpose other than for treatment, payment or health care operations, an Employee should consult the Corizon Health Privacy and Security Policies and Procedures and determine the following: If the disclosure is permitted If a patient authorization is required for the disclosure If the disclosure must be documented 62

63 Safeguarding PHI Key Provisions (Continued) If an employee cannot determine with certainty whether a disclosure is permitted, requires patient authorization, or must be documented, the Employee must contact the Super User or Privacy Officer for clarification. 63

64 Employee Privacy Responsibilities All Employees must do the following: COMPLY: Comply with Corizon s Privacy and Security Policies and Procedures; MINDFUL: Be mindful of privacy issues pertaining to the use and disclosure of PHI; ACCESS: Ensure that only authorized Employees access PHI; 64

65 Employee Privacy Responsibilities (Continued) BEFORE: REFRAIN: Before disclosing PHI, consult the Privacy and Security Policies and Procedures to determine if a patient authorization is required for the disclosure and whether or not the disclosure must be documented; Refrain from discussing PHI in common or unsecured areas (e.g. elevators, lobbies, etc.); and NOTIFY: Notify the Privacy Officer if he or she believes that a Privacy and/or Security Policies and Procedure has been violated 65

66 Topic 2 Privacy Rule Conclusion Great job, Topic 2 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 66

67 Topic 3 Time to complete Topic 3 Security Rule Approximately 10 minutes

68 The Security Rule The HIPAA Security Rule became effective on April 20, 2005, and set a national standard for protection of the confidentiality, integrity, and availability of electronic PHI when it is stored (at rest), maintained, or transmitted. The Security Rule sets forth the standards and processes that are required to protect the confidentiality, integrity, and availability of electronic PHI in the form of Administrative, Physical, and Technical *Safeguards (*covered on next page). 68

69 The Security Rule Administrative Safeguard Example Requiring authorization for Employees to access electronic PHI Physical Safeguard Example Maintaining secure workstations to avoid the incidental viewing of PHI Technical Safeguard Example Continuously monitoring all access attempts to electronic PHI 69

70 Corizon Health Security Officer Corizon Health has designated a Security Officer whose responsibilities include ensuring compliance with Corizon s Security Policies and Procedures. The Corizon Health Security Officer is: Jacob Arthur 103 Powell Court Brentwood, TN security@corizonhealth.com 70

71 Employee Security Responsibilities All Employees must do the following: ADHERE: Comply with Corizon s Privacy and Security Policies and Procedures; AVOID: Avoid the use of common or obvious passwords; AVOID: LOCK/LOG OFF: REPORT Avoid sharing passwords with anyone; Lock or log off workstations whenever leaving them unattended; Promptly report any suspected security violations to the Security Officer. 71

72 Corizon Encryption Policy When sending PI or PHI via to a domain address other than Corizonhealth.com., you must encrypt the communication. Adding any one of the following key words: encryptme, [ENCRYPT], or [SEND SECURE] to the subject line of the , will send the message through our secure gateway. Failure to do so could result in a breach of the PHI.

73 Prohibited Activity You MAY NOT send any PHI from any personal account or other non Corizonhealth account, like a DOC or county address. When you send an that contains PHI outside the Corizonhealth.com domain, it needs to be sent from a corizonhealth.com address and be encrypted. DO NOT USE your DOC or county address to communicate with employees or the corporate office regarding any PHI. If you do so, corrective action, up to and including termination, may result.

74 Topic 3 Security Rule Conclusion Great job, Topic 3 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 74

75 Topic 4 Time to complete Topic Reporting/Enforcement Approximately 10 minutes

76 Objectives Upon completing this Topic, you should understand the following: How the HITECH Act of 2009 and the Final Omnibus Rule affect Corizon Health and its Employees What enforcement measures can be taken in the event our Employees run afoul of compliance. Because the exchange of health information is important for all health care providers and their patients, legislators are constantly looking for ways to modify and /or improve the rules surrounding such. The Final Omnibus Rule is one example of a recent legislative update which increased many of the duties a health care provider has with regard to information privacy and security. 76

77 Privacy and Security Violations Employees that fail to follow the Privacy and Security Policies and Procedures will be subject to appropriate disciplinary actions as set forth under HIPAA. In the event that an Employee believes that a Privacy and/or Security Policy and Procedure has been violated, the Employee should: Notify the Privacy or Security Officer immediately Assist the Privacy or Security Officer to take whatever steps are practicable to mitigate (minimize) the harm from the violation 77

78 HIPAA Enforcement: Key Facts DELEGATED AUTHORITY: On December 20, 2000, the Department of Health and Human Services secretary delegated the authority to administer and enforce the Privacy and Security Standards to the Office of Civil Rights (OCR). OCR ENFORCEMENT The OCR enforcement process is complaint driven and provides any individual who believes that a HIPAA Covered Entity is not complying with the HIPAA Rules the right to file a complaint. 78

79 HIPAA Enforcement: Key Facts HIPAA MANDATES: MONEY PENALTIES: HIPAA mandates strict civil and criminal penalties for violations of the Privacy and Security Standards. OCR has the power to assess civil money penalties against Corizon Health (a covered entity) if an Employee violates HIPAA. Specifically, OCR may assess civil monetary penalties against Corizon Health for up to $50,000 per violation and up to $1,500,000 each calendar year for identical violations which are not corrected. 79

80 HIPAA Enforcement: Key Facts CRIMINAL CHARGES: Criminal charges may be brought and enforced by the Department of Justice against Covered Entities or their employees (individually) if an offense is committed with intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm. Violators (covered entities and/or their individual employees) may be fined up to $250,000, imprisoned for up to 10 years, or both. 80

81 HITECH HITECH proposed several modifications to HIPAA, many of which were enacted into law through the Final Omnibus Rule, effective March 26,

82 Topic 4 Reporting/Enforcement Conclusion Great job, Topic 4 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 82

83 Topic 5 Time to complete Topic 5 Scenarios Approximately 10 minutes

84 Privacy and Security Violations (Scenario 1) A local state representative has been contacted by one of his constituents expressing concerns for their son s medical care while incarcerated and has called your site demanding a copy of the inmate s medical records and to speak with the treating provider. The appropriate action would be to send a copy over to the representative since he is a government employee. YES NO Correct Answer: No Without a properly executed, HIPAA compliant authorization signed by the inmate, the site may not release any information to the state representative, regardless of his position in the Legislature. 84

85 Privacy and Security Violations (Scenario 2) A terminally ill patient has recently died. During his incarceration, he was never visited by any family member nor had any contact with family. Upon his death, his daughter is now demanding a copy of his medical records. The daughter has provided no evidence that she is the personal representative of the estate. The appropriate action would be to provide the inmate s health record to the attorney. Correct Answer: No In order to provide a deceased patient s records to a family member, the family member must present documentation evidencing that they have been appointed personal representative of the estate. The HIPAA Privacy Rule protects the individually identifiable health information about a 85 decedent Corizon Health, for Inc. All 50 information years and photos following are confidential and proprietary. the date All rights reserved. of death of the patient. YES NO

86 Scenarios Behind Bars (Scenario 3) The mother of a MINOR inmate contacts medical and informs you of the following: She saw her son at a visit today, and he told her that he is not getting his medication and that we put him on medication he does not want to take. It is obvious that she is reporting accurate information. Can you discuss her son s healthcare with her because you realize that she has this information? YES NO Correct Answer: No The Employee must consult the Legal Department as to the policy governing disclosure of PHI to a Personal Representative of a minor. 86

87 Scenarios Behind Bars (Scenario 4) The mother of an ADULT inmate contacts medical and informs you of the following: She saw her son at a visit today and he told her that he is not getting his medication and that we put him on medication he does not want to take. It is obvious that she is reporting accurate information. Can you discuss her son s healthcare with her because you realize that she has this information? Correct Answer: No YES NO The mother needs to provide verification that she has been authorized / designated as the inmate s personal representative via a standard Corizon Health Authorization Form, prior to any PHI being released / discussed / disclosed. 87

88 Topic 5 Scenarios Conclusion Great job, Topic 5 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 88

89 Slides Completed Go To Quiz Great Job! You have completed viewing the 5 Topics. Please proceed, as instructed by your site Super User, to the Quiz. A separate Quiz and Answer sheet will be provided to you.