HIPAA Annual Training

Transcription

1 HIPAA Annual Training

2 Test Out Option for HIPAA Annual Training Corizon Health is offering a test out option on Annual HIPAA Training. Here is how it works: 1. You may take a 10 question pre-test regarding HIPAA. If you pass with a score of 100%, you may skip the full training course and receive a Completed status for this annual requirement. 2. You MUST attain a 100% score. 3. If you miss no more than two questions, you may qualify to re-take the pretest. If you miss 3 or more questions on the pre-test, you will be redirected to the course. 4. If you attain a 100% the second time around, you will receive a Completed status for this training. However, if you do not achieve a 100% score on your re-test, you will be required to complete the entire training module.

3 Test Out Option for HIPAA Annual Training NOTE: If you are a new hire and have never taken the HIPAA Training module before, you are NOT eligible for the pre-test option. Please You MUST take the ENTIRE New Employee HIPAA training module. 1. If you would like to take the pre-test option, please let your site Super User know so that you can take the test now. 2. If you would prefer to take the entire training module and then take the test, then please proceed with the training module at this time and your Super User will provide you the test.

4 Topic 1 Time to complete Topic 1 Overview Approximately 15 minutes

5 Introduction/Objectives At the conclusion of this training module, you should have an understanding of the following: Corizon Health s Privacy and Security Policies and Procedures; What constitutes Protected Health Information (PHI); The General Rules for the use and/or disclosure of PHI; The HIPAA Privacy and Security Rules and how each affects Employees in the workplace; The appropriate method for identifying and reporting Privacy and/or Security Violations and/or Incidents;

6 Introduction/Objectives (continued) At the conclusion of this training module, you should have an understanding of the following: A patient s rights surrounding his or her PHI and the role Employees have in exercising and/or preserving these rights; The HITECH Act and the Final Omnibus Rule (2013); Business Associates and the role and requirements surrounding each; Enforcement measures that are available in the absence of compliance; and Each Employee s responsibility in terms of Privacy and Security surrounding PHI in the workplace. 6

7 HIPAA Terms 7

8 HIPAA Terms Breach The acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

9 HIPAA Term: Business Associate A person or entity, other than an Employee or other member of the workforce of the Company, which performs, or assists in the performance of, a function or activity on behalf of Corizon Health or a Corizon Health Business Associate involving the use and/or disclosure of individually identifiable health information. Such functions or activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and repricing. Business associates also include any providers of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to Corizon Health or a Business Associate thereof, where the provision of such services involves the disclosure or use of individually identifiable health information. 9

10 HIPAA Terms Business Associate Agreement Agreement between the Company and a Business Associate, pursuant to which the Business Associate agrees to provide certain protections of PHI received by or created on behalf of the Company. Corizon Health Corizon Health, Inc., Corizon, LLC, and their affiliated entities. Designated Record Set Please refer to your Corizon Health Privacy Policies for specific information on the Designated Record Set. 10

11 HIPAA Terms Disclosure Log Record maintained by Corizon Health of all disclosures of PHI as required to be maintained pursuant to Privacy and Security Policies and Procedures. Employee Any person whose conduct, in the performance of work for Corizon Health, is under the direct control of Corizon Health, whether or not such person is paid by Corizon Health and whose duties bring such person in contact with PHI. For the purpose of these Privacy and Security Policies and Procedures, the term Employee includes, but is not limited to, customer service representatives, any administrative personnel, and any personnel under Corizon Health s control who deliver health care services or items to inmates in correctional institutions. 11

12 HIPAA Terms Final Omnibus Rule The final rule announced by U.S. Dept. of Health and Human Services which implements a number of provisions of the HITECH ACT, effective March 26, 2013 with a compliance date of September 26,

13 HIPAA Terms Health Care Operations Administrative and managerial activities of Corizon Health including quality assessment and improvement activities, legal compliance activities, business planning and development activities, and other business management and general administrative activities. Health Oversight Activity Activities by a Health Oversight Agency for the purpose of oversight of the healthcare system (whether public or private, or government programs) in which health information is necessary to determine eligibility or compliance, or to enforce civil rights for which health information is relevant. 13

14 HIPAA Terms Health Oversight Agency An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority or contract with such public agency, that is authorized by law to conduct Health Oversight Activities. HIPAA The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, is a federal law which created a national standard for the privacy and security of protected health information ( PHI ). 14

15 HIPAA Terms HITECH Act Health Information Technology for Economic and Clinical Health Act Individually Identified Health Information Health information which relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 15

16 HIPAA Terms Patients and Personal Reps The term patient may also include the patient's legally designated "personal representative". A personal representative is any of the following [see 45 C.F.R (g)]: A conservator of the person of an incompetent patient; an agent appointed under a power of attorney for health care, if the patient is incompetent; any other person who can make health care decisions on behalf of an incompetent patient; A personal representative (i.e., the executor or administrator) of the estate of a deceased patient or any heir or beneficiary of a deceased patient; parents of minor children; or emancipated minors. 16

17 HIPAA Terms Professional Corporation (PC) A corporate entity established and solely owned by physician shareholders. 17

18 HIPAA Terms Protected Health Information (PHI) Health information which relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, where such information either identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes not only medical records, but all other forms or documents that contain individually identifiable information, including but not limited health service request forms, medication administration records, sick call requests, daily clinic logs, etc.

19 HIPAA Terms Privacy Officer The person who is responsible for the development and implementation of these Privacy and Security Policies and Procedures, and overseeing the Company s compliance with the requirements of the Privacy Rules. Privacy Rules Regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) at Title 45, parts 160, 162 and 164 of the Code of Federal Regulations, pertaining to the privacy of health information. 19

20 HIPAA Terms Privacy and Security Policies and Procedures The policies and procedures contained herein, which have been adopted by the Company as part of its efforts to comply with the Privacy and Security Rules. Public Health Activity The activities of a public health authority for the purpose of preventing or controlling disease, injury or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. 20

21 HIPAA Terms Security Officer The person who is responsible for the development and implementation of Security Policies and Procedures, and overseeing the Company s compliance with the requirements of the Security Rule. 21

22 HIPAA Terms Unsecured PHI Protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary

23 Who are the Corizon Health Super Users? Who are the Super Users for our companies? All HSAs/DONs All Field and Regional Office AAs Regional Office Designees Professional Corporation (PC) Shareholders Who will the Super Users be training? All Site Level Employees PC Employees 23

24 Who are the Corizon Health Super Users? What is the Super User role? HIPAA Training Facilitator Initial contact person at the site level for HIPAA related issues 24

25 Why is training important? There are many reasons why training is important. Training Training enables Employees to develop the knowledge and skills set necessary to perform the essential functions of their job in compliance with the law. Advantage Effective training affords Corizon Health a competitive advantage in the correctional healthcare market. 25

26 Why is training important? Career Training advances an Employee s career and sense of feeling valued by Corizon Health. OJT On the job training is an investment in Corizon Health s future as Employees will share this knowledge with other Employees (current and new hires) in performing the essential functions of their job. 26

27 Training Compliance To begin, you will need to complete this course by completing all of the Topics. After you review the 5 topics, you may take the quiz. We ve estimated your total time to complete this course, including the Quiz, is about 70 minutes. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 27

28 Training Compliance At the end of this training, you will need to take a short quiz and answer all ten (10) questions correctly. In the event you do not answer all ten (10) questions correctly, you are required to retake the quiz. The Super User at each site shall ensure that each Employee takes the Quiz until he/she attains a score of 100%. 28

29 Hot Buttons for Corizon Health Disposal of PHI Sensitive information and PHI should NEVER be placed in the regular trash! Hard copy materials that contain PHI, like sick call request forms, must be properly shredded at your site or placed in a locked shred container for shredding later. DO NOT use an open box under your desk as your shred storage for PHI If you are using an unsecured container to hold PHI for destruction, there is a greater likelihood in inappropriate access or that it will accidentally be comingled with regular trash. Keep in mind that the destruction of actual medical records is client dependent, so please work with your site management before destroying any medical records.

30 Hot Buttons for Corizon Verification of Identity Before you provide records to an inmate or any other third party, you MUST verify that the name of the person in the medical record matches the name being requested. Does the information within the medical record all belong to that inmate? If two different inmates with the same last name of Smith request their records, check, check again and check a third time to ensure that you are providing the correct record to the correct inmate "Smith".

31 Hot Buttons for Corizon Health Unsecured PHI EVERY SINGLE TIME you send an outside the Corizonhealth domain that contains any PHI the MUST BE ENCRYPTED, e.g., you send medical record to attorney who does not have a corizonhealth.com address. As a Corizon employee, you must use your Corizonhealth . DO NOT send s from your personal accounts like Gmail or Hotmail or your County or state address that contain any PHI. Corizon, as the covered entity, is responsible for the security of the PHI and we cannot control the security of a third party system.

32 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, is a federal law which created a national standard for the privacy and security of Protected Health Information ( PHI ). In learning about HIPAA, it is important to recognize that this legislation was enacted with two broad interests in mind: Privacy Security Congress became concerned about how to protect the confidentiality of health care data that was being electronically transmitted. Therefore, the purpose of HIPAA was to protect the privacy and security of PHI. HIPAA legislation was passed in However, it was not until 2003 that the Privacy Rule was finally enacted and later in 2005, the Security Rule was enacted. 32

33 What is HIPAA? In this course, we will first learn about the privacy component of HIPAA more precisely referred to as the HIPAA Privacy Rule. Generally speaking, the HIPAA Privacy Rule was enacted to encompass the following items: Individual rights; Instructions on how to exercise those individual rights; and Uses and/or disclosures of PHI which must be authorized by the individual (patient) or are required by law. 33

34 What is HIPAA? After we conclude our discussion of the Privacy Rule, we will redirect our attention to the Security Rule which mandates the administrative, physical, and technical safeguards necessary to protect the confidentiality, integrity, and availability of electronic PHI ( ephi ). The belief was that privacy is a "fundamental right" and that patients should have the ability to control information pertaining to their care. Therefore, HIPAA gave patients a number of rights, including but not limited to access to medical records, the right to amend records and the right to restrict certain uses and disclosures of their PHI. 34

35 What is Protected Health Information? HIPAA s Privacy and Security Rules only apply to PHI, which is commonly referred to as PHI. Therefore, in order for Employees to understand the important aspects of HIPAA, it is critical to know what PHI is. PHI is defined as individually identified health information that is transmitted or maintained in electronic, written, oral, and/or any other recorded form or medium. The Department of Health and Human Services generally considers any health related information that identifies an individual, or reasonably could be used to identify an individual, which is created or received by a covered entity to be PHI. 35

36 What is Protected Health Information? Individually identifiable health information is: Information that identifies an individual; Information created or received by Corizon Health; and Information that relates to the past, present or future physical or mental health condition of the individual. Remember: PHI does not just refer to medical records, but any document or form that contains individually identifying information about the patient. 36

37 What is PHI? Some common examples of PHI include: Patient medical records Prescriptions Billing information Patient insurance forms Patient charts PHI does NOT include: Employment records held by a Covered Entity in its role as an employer Educational records It is important to remember that PHI includes less obvious items in comparison to those common examples provided. If you are unsure as to whether or not a particular item constitutes PHI, please consult the Privacy Officer for further clarification. 37

38 How does HIPAA apply to Corizon? HIPAA only applies to Covered Entities, which include health plans, health care clearinghouses and health care providers who use PHI in connection with certain electronic transactions (such as payments or claims attachments). 38

39 How does HIPAA apply to Corizon? Under HIPAA, a health care provider is defined as an entity that furnishes medical services. Because Corizon Health provides medical services to inmates of correctional facilities across the United States, Corizon Health is considered a health care provider. As a health care provider, Corizon Health transmits electronic PHI for purposes of certain transactions which results in Corizon Health being classified as a Covered Entity for purposes of HIPAA. Corizon, as it currently functions, does not meet the definition of either a health care clearinghouse or a health plan. However, Corizon does engage in certain standard transactions, making us a Covered Entity subject to the rules and regulations of HIPAA. 39

40 Topic 1 Overview Conclusion Great job, Topic 1 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 40

41 Topic 2 Time to complete Topic 2 Privacy Rule Approximately 15 minutes

42 Objectives At the end of this Topic, the learner will have a good understanding of: The general rules for the use and disclosure of PHI; An individual s right to access his or her own PHI; How to adequately protect an individual s PHI from inappropriate use or disclosure; Documenting non-routine disclosures of PHI; and The reporting of any improper uses or disclosures of PHI to the appropriate personnel so that any harmful effects can be mitigated. Note: Use means the PHI is being shared, applied, utilized, examined or analyzed within Corizon and Disclosure means the releasing, transferring, or providing access to the PHI outside of Corizon. 42

43 General Rules for the Use and Disclosure of PHI The HIPAA Privacy Rule generally requires Corizon Health to take reasonable steps to limit the use and disclosure of PHI to the minimum amount necessary to accomplish this purpose. The Employee shall make a reasonable effort to use and or disclose only the amount of PHI which is required to perform the essential job functions. It is important to remember that the Minimum Necessary Standard does not apply to all uses and disclosures of PHI. 43

44 Exceptions to the Minimum Necessary Standard The Minimum Necessary Standard DOES NOT apply to the following uses and disclosures of PHI: Uses and disclosures of PHI for treatment purposes (e.g. from one health care provider to another) Uses and disclosures of PHI to the individual who is the subject of the PHI Uses and disclosures of PHI pursuant to a valid HIPAA compliant written authorization Uses and disclosures of PHI that are required by law 44

45 Minimum Necessary Standard Example 1 A patient at the Jail has requested that a copy of his entire medical record be provided to his attorney. He has a presented a signed, validly executed authorization for release of his records. Does the Minimum Necessary Standard apply here? YES NO Correct Answer: No, the patient has signed an Authorization allowing his entire record to be sent to his Attorney. The Minimum Necessary Rule does not apply. The entire record must be provided to the patient s attorney. 45

46 Minimum Necessary Standard Example 2 Patient is being sent off-site to the hospital for a surgical procedure. The surgeon at the hospital calls to speak to the treating physician at the correctional facility about the Patient s care and upcoming procedure. Does the Minimum Necessary Standard apply here? YES NO Correct Answer: No, the Minimum Necessary Standard does NOT apply to uses and disclosures of PHI for the purpose of treatment. 46

47 Minimum Necessary Standard Example 3 Nurse Nancy makes a serious documentation error in a Patient s chart. Her supervisor works with the HR Department to determine whether corrective action is warranted. The HR Department requests a copy of the medical record as part of its investigation. Does the Minimum Necessary Standard apply here? YES NO Correct Answer: Yes, the Supervisor should only provide the relevant pages of the medical record to the HR department with the patient s name redacted. The HR Department does not need to know the patient s name or see the entire record in order to complete its investigation. 47

48 Minimum Necessary Standard Example 4 Several inmates at the correctional facility have been diagnosed with and are being treated for a communicable disease. The local health department is on-site at the correctional facility to investigate and help mitigate a possible outbreak. Should the Medical Staff apply the Minimum Necessary Standard when speaking with the Health Department? YES NO Correct Answer: No, this disclosure is required by law so the Minimum Necessary Standard would NOT apply. The Health Department will need all information related to the patients with the communicable disease in order to adequately and effectively treat and prevent the spread of the disease. 48

49 When is a Written Authorization Required? The HIPAA Privacy Rule requires Employees to obtain a HIPAA compliant written patient authorization prior to using and/or disclosing PHI for certain purposes. Some examples of uses and/or disclosures of PHI that require a HIPAA compliant patient authorization are: Disclosure of PHI to the patient s family or friends in cases where the friend or family member is NOT the patient s personal representative Disclosure of PHI to the media Disclosure of PHI to the patient s attorney. Employees can obtain Corizon s standard HIPAA compliant patient authorization online at or from the Super User at your respective site. To be consistent and ensure that the Authorization is HIPAA compliant, it is best to always use the Corizon approved form. If a patient or third party presents an Authorization on a non-corizon form, you may request that they complete a new authorization on the Corizon form. 49

50 When a Written Authorization is NOT Required Employees are NOT required to obtain a HIPAA compliant written authorization prior to using and/or disclosing PHI in the following circumstances: Uses or disclosures of PHI for treatment purposes (providing healthcare services or items) Uses or disclosures of PHI for payment purposes (submitting and receiving claims, making and receiving payment for services) Uses or disclosures of PHI for health care operational purposes (quality improvement activities, credentialing, utilization review, training programs, accreditation activities, insurance rating) 50

51 When a Written Authorization is NOT Required (Continued) Uses or disclosures of PHI to a correctional facility or officer to assist the facility in providing the patient with health care, protecting the health or safety of the patient or others, or for the safety or security of the correctional facility Uses or disclosures of PHI to avert serious threat to health or safety (threat to the patient, public, or other individuals) Uses or disclosures of PHI for law enforcement purposes (information related to the commission of a crime on the premises or against health care personnel) 51

52 When a Written Authorization is NOT Required (Continued) Uses or disclosures of PHI to a Corizon Health Business Associate that has signed a Business Associate Agreement Uses or disclosures of PHI for public health activities as required by law for the purpose of preventing or controlling disease, injury or disability Uses or disclosures of PHI for judicial, legal, or administrative proceedings (e.g. Court orders and subpoenas) KEY ELEMENT OF INSTRUCTION: It is important that Employees understand that Corizon Health is the custodian of the PHI in its possession and the Client is the owner. For this reason, Employees must not impede the Client s ability to access its own PHI so long as such use and disclosure complies with the correctional facilities/officer exception listed above. 52

53 Custodial Exemption As previously mentioned, in the correctional environment, HIPAA gives broad authority to the providers to allow for the release of information to a correctional facility or officer if the purpose is to provide care to the patient or to protect the health and safety of the officers and/or the facility. However, be cautious with this authority. Any release of information to an officer or a warden should be done so for the purpose of protecting the institution, it's officers and the other inmates. This does not give an officer the right to inspect a patient's records out of mere curiosity. You still have an obligation to protect the patient's privacy.

54 Safeguarding the Confidentiality of PHI YOU are responsible for securing PHI from improper disclosure. Avoiding an improper disclosure includes the following: Sharing PHI with only those that need to know the information in a discreet manner. Refraining from discussing patient information with family, friends, neighbors and others that have no need to know. Avoiding leaving PHI visible on desktops or work surfaces by turning things over and locking information in your desk. You must ensure that any disclosure of information reaches the correct person. Validate fax numbers prior to faxing any PHI Verify the identity of a person prior to releasing information Verify addresses before sending any encrypted patient information electronically

55 Quick Knowledge Check It is acceptable to put PHI in an open shred or recycle box under your desk since all Corizon employees have taken HIPAA training and understand their obligation to protect the information. Yes or No, you can put PHI in an open shred box under your desk or in a common area?

56 Knowledge Check Answer Correct Answer: No Any document containing PHI that is ready for disposal must either be shred at the site or placed in a locked bin so that other third parties like inmate workers and correctional officers do not have access to the information.

57 Disposal of PHI Either shred the PHI at the site or place the PHI in a locked receptacle. If you utilize inmate workers in your area for janitorial services, they should never touch your shred bids or empty any containers holding PHI until a shred vendor comes to shred the information. If you have any electronic media (discs, USB drives, etc.) that contain PHI, please contact our IT department for proper disposal instructions. REMEMBER: PHI does not just mean the physical medical record but includes any paper that contains patient information. If that document contains any PHI, it must be disposed of properly.

58 What is required of a Business Associate? The HIPAA Privacy Rule requires Covered Entities such as Corizon Health to enter into a Business Associate Agreement ( BAA ) with any third party individual or entity that is determined to be a Business Associate of the Company ( BA ). Upon entering into a BAA with Corizon Health, a BA is then obligated to comply with certain requirements under the Privacy and Security Rules, including agreeing to the use and/or disclosure of PHI only as permitted under the BAA and to maintain the appropriate security safeguards so as to prevent the unauthorized access, use, and/or disclosure of PHI. 58

59 Business Associate Contracting Process It is important to remember that Corizon Health may not share PHI (the use and/or disclosure) with a BA until a BAA has been executed between the parties. If you wish to engage a BA, you need to contact the Privacy Officer and they will assist you with the process of drafting and executing the agreement. Corizon Health is required to maintain copies of any fully executed BAAs in the event they are requested by the government. Therefore, it is imperative that the Privacy Officer be involved in the contracting process.

60 Subcontractors Upon the enactment of the Final Omnibus Rule in 2013, all subcontractors of Corizon Health's Business Associates are required to comply with the Privacy & Security Rules. This significant legislative change will require Corizon Health to carefully monitor the subcontractors utilized by its business associates for the purpose of ensuring 100% compliance. 60

61 Who is a Business Associate? The appropriate way to determine whether or not a third party individual or entity is a Corizon Health BA is in looking at the activities and/or functions they perform on the Company s behalf. Typical activities or functions performed by a BA for or on behalf of a Covered Entity such as Corizon Health include those listed below, provided the activity or function involves the use and/or disclosure of PHI: Typical Activities / Functions Performed by a Business Associate Claims Processing Data Analysis Utilization Management Quality Assurance Benefit Management Third Party Admin Activities Practice Management Services Legal Accounting / Actuarial Consulting Management Administrative 61

62 Who is a Business Associate? To the contrary, if a third party individual or entity performs one or more of the foregoing activities and/or functions on behalf of Corizon Health but, DOES NOT access or use PHI in doing so, no business associate agreement is required. Additionally, if a third party individual or entity is a healthcare provider AND only receives and/or uses PHI in treating a common patient (an individual that is also a patient of Corizon Health), no business associate agreement is required. In the event you have any questions with regard to Business Associates, please contact the Privacy Officer and/or a member of the Corizon Health Legal Department. 62

63 Documenting Non-Routine Disclosures of PHI Under the Privacy Rule, Corizon Health is required to provide patients with an accounting of all Non-Routine Disclosures of PHI made for up to six (6) years prior to the date of the patient s request. Employees MUST document all Non- Routine disclosures of PHI in the PHI Non-Routine Disclosure Log. You are LEGALLY required to document your disclosures of PHI! A patient has the right to request a copy of an accounting of any and all disclosures of his or her PHI which are considered "Non-Routine." 63

64 Documenting Non-Routine Disclosures of PHI The following disclosures of PHI are considered Non-routine : Disclosure of PHI to a Health Oversight Agency (CMS, State DHS, SSA) Disclosures of PHI made pursuant to a Court or Administrative Agency Order Disclosures of PHI made pursuant to a subpoena Disclosures of PHI made pursuant to a request by a law enforcement agency Disclosures of PHI made to avoid a serious threat to health or safety Disclosures of PHI made to a public health agency (state or local public health authority) 64

65 Routine Disclosures NOTE: Disclosures for the purposes of treatment, payment, and/or operations are NOT considered to be "Non-Routine." In the event you are unable to determine whether or not a disclosure is "Non-Routine", please refer to your Privacy Policies and/or consult the Super User at your facility for further guidance.

66 Documenting Non-Routine Disclosures of PHI When documenting Non-Routine Disclosures of PHI, Corizon Health must record the following information in the PHI Non-Routine Disclosure Log: Date of the disclosure Name and address of the person or organization who received the disclosure Brief description of the PHI disclosed Purpose for which the information was disclosed In the event an Employee has further questions about the documentation requirements for Non-Routine Disclosures of PHI, they should contact their site Super User or the Privacy Officer. 66

67 Non-Routine Disclosure Key Points You MUST maintain an accurate and complete log of ALL nonroutine disclosures of PHI at your site. You MUST maintain the non-routine disclosure log for a minimum of 6 years. If your site is closing, you must mail a hard copy of the nonroutine disclosure log to the Privacy Officer BEFORE the new vendor comes into the facility.

68 Patient s Right to Access PHI As a general rule, HIPAA gives patients certain rights regarding their PHI, including, but not limited to, the right to inspect or obtain a copy of their medical records. Additionally, specialized rules may apply if the patient is legally considered a minor. However, because inmates do not have the same rights as other patients under HIPAA, Corizon Health may deny an inmate s request to inspect or obtain a copy of his or her PHI if it would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates, or the safety of an Employee or the correctional staff of the facility. NOTE: Many Corizon Partners do not allow and/or limit a patient's access to their medical records during incarceration. If your site restricts access to patient records, please contact the Privacy Officer so that he or she can assist you in determining whether you should allow the patient access to his or her medical records. 68

69 What Rights Do Minors Have? HIPAA addresses issues surrounding parental rights relative to a minor (a person who has not reached the legal age of majority) under the regulations dealing with personal representatives. Generally, parents have the authority to make health care decisions about their minor children. Therefore, HIPAA allows parents to access to their child's PHI as they are making the decisions. However, if state law allows a minor to exercise his or her own control over a health care decision, HIPAA then allows the minor to control who will have access to that health care information related to that decision. For example, if state law allows a minor to consent to mental health treatment without the consent of a parent, then the parent would not be acting as the minor's personal representative and would not have access to that information. HIPAA defines a personal representative as a person authorized under applicable law to make health care decisions on another individual s behalf. It is important to know that HIPAA takes a deferential approach to patient rights when it comes to dealing with patients who have not reached the legal age of majority (minors). As a general rule, HIPAA gives minors the right to exercise control over their own PHI (including restrictions on access) IF, under state law, the minor in question obtained or could have obtained the medical treatment to which the PHI pertains, WITHOUT parental consent. 69

70 What Rights Do Minors Have? As is the case with all legal rules, there is an EXCEPTION: If the state law allows or prevents the disclosure of a minor s PHI to a parent or guardian (personal representative), HIPAA defers to the state law. CAUTION: When dealing with minors and their rights with regard to PHI, you should consult the legal department as to what state law allows and/or requires. These situations should be addressed on a case by case basis as there are other legal scenarios where a minor is permitted to restrict access to his or her own PHI (e.g. in cases of abuse or neglect, where PHI involves substance abuse and/or mental health). 70

71 Corizon Health Privacy Officer Corizon Health has designated a HIPAA Privacy Officer whose responsibilities include ensuring HIPAA compliance among all Employees. The Corizon Health Privacy Officer is: Maya Patel Vice President, Associate General Counsel and Privacy Officer Olive Boulevard, Suite 300 St. Louis, MO privacy@corizonhealth.com 71

72 Safeguarding PHI Key Provisions Comprehensive Privacy and Security Policies and Procedures have been developed in order to safeguard PHI. The Corizon Health Privacy and Security Policies & Procedures are available for reference at and in paper form at the site level. Key provisions include the following: All current Employees and all new Employees will receive compliance training consistent with the Corizon Health Privacy and Security Policies and Procedures Only authorized Employees will have access to PHI Access to all PHI will be monitored 72

73 Safeguarding PHI Key Provisions (Continued) Before disclosing PHI for any purpose other than for treatment, payment or health care operations, an Employee should consult the Corizon Health Privacy and Security Policies and Procedures and determine the following: If the disclosure is permitted If a patient authorization is required for the disclosure If the disclosure must be documented 73

74 Safeguarding PHI Key Provisions (Continued) If an employee cannot determine with certainty whether a disclosure is permitted, requires patient authorization, or must be documented, the Employee must contact the Super User or Privacy Officer for clarification. Employees are encouraged to reference the Corizon Privacy and Security Policies and Procedures along with related online compliance resources made available at HIPAA.Corizonhealth.com. 74

75 Employee Privacy Responsibilities All Employees must do the following: COMPLY: Comply with Corizon s Privacy and Security Policies and Procedures; MINDFUL: Be mindful of privacy issues pertaining to the use and disclosure of PHI; ACCESS: Ensure that only authorized Employees access PHI; 75

76 Employee Privacy Responsibilities BEFORE: REFRAIN: Before disclosing PHI, consult the Privacy and Security Policies and Procedures to determine if a patient authorization is required for the disclosure and whether or not the disclosure must be documented; Refrain from discussing PHI in common or unsecured areas (e.g. elevators, lobbies, etc.); and NOTIFY: Notify the Privacy Officer if he or she believes that a Privacy and/or Security Policies and Procedure has been violated 76

77 Quick Knowledge Check It is acceptable to leave PHI in a copy room or open on a desk because all Corizon employees have taken HIPAA training and understand their obligation with respect to PHI. Yes or No, you can take your time retrieving PHI from a copy room that has access by others and/or leave PHI face up on your desk or common area?

78 Knowledge Check Answer NO, merely because all employees have been trained does not automatically grant them access to PHI. Each employee has an obligation to protect that information from further disclosure. Make sure that you are appropriately securing PHI in your workspace by closing folders and files and never leave information in an open space like a copy room.

79 Topic 2 Privacy Rule Conclusion Great job, Topic 2 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 79

80 Topic 3 Time to complete Topic 3 Security Rule Approximately 10 minutes

81 The Security Rule The HIPAA Security Rule became effective on April 20, 2005, and set a national standard for protection of the confidentiality, integrity, and availability of electronic PHI when it is stored (at rest), maintained, or transmitted. The Security Rule sets forth the standards and processes that are required to protect the confidentiality, integrity, and availability of electronic PHI in the form of Administrative, Physical, and Technical *Safeguards (*covered on next page). 81

82 The Security Rule Administrative Safeguard Example Requiring authorization for Employees to access electronic PHI Physical Safeguard Example Maintaining secure workstations to avoid the incidental viewing of PHI Technical Safeguard Example Continuously monitoring all access attempts to electronic PHI These are only a few examples of the many administrative, technical and or physical safeguards included in the security rule. All of which are in place to ensure the confidentiality, integrity and availability of ephi. 82

83 Corizon Health Security Officer Corizon Health has designated a Security Officer whose responsibilities include ensuring compliance with Corizon s Security Policies and Procedures. The Corizon Health Security Officer is: Howard Wolfe 103 Powell Court Brentwood, TN security@corizonhealth.com 83

84 Employee Security Responsibilities All Employees must do the following: ADHERE: Comply with Corizon s Privacy and Security Policies and Procedures; AVOID: Avoid the use of common or obvious passwords; AVOID: LOCK/LOG OFF: REPORT Avoid sharing passwords with anyone; Lock or log off workstations whenever leaving them unattended; Promptly report any suspected security violations to the Security Officer. 84

85 Employee Security Responsibilities Your password should be hard to guess but easy for you to remember. Once you have determined an appropriate password, do not share it with anyone or write it down and leave it in a location where someone else can obtain it. Remember that if someone else is able to log in under your username and password, you are ultimately responsible for any actions taken by that person. When you step away from your workstation for any reason, please lock your computer screen and put away or turn over any PHI on your desk to avoid the risk of an unauthorized use or disclosure.

86 Workstation Usage It is important that you protect your workstation space to avoid any accidental disclosures of PHI. Some examples of these safeguards include: RESTRICT view access from others FOLLOW appropriate log-on and log-off procedures LOCK your workstation when you are away from your workspace

87 PHI and Mobile Devices PHI should not be stored on any mobile device like a phone or tablet, unless you have been authorized to do so and have worked directly with Corizon Health's Security Officer. If devices are lost, stolen or compromised, notify your supervisor immediately and report the loss to the Security and Privacy officers!

88 Usage Appropriate use of can prevent the accidental disclosure of ephi. Best practices include: Use in accordance with Corizon's usage policy. Use for business purposes and do not use in a way that is disruptive, offensive, or harmful. ALWAYS verify address before sending. Don't open containing attachments when you don't know the sender.

89 Corizon Encryption Policy When sending PI or PHI via to a domain address other than Corizonhealth.com., you must encrypt the communication. Adding any one of the following key words: encryptme, [ENCRYPT], or [SEND SECURE] to the subject line of the , will send the message through our secure gateway. Failure to do so could result in a breach of the PHI.

90 Prohibited Activity You MAY NOT send any PHI from any personal account or other non Corizonhealth account, like a DOC or county address. When you send an that contains PHI outside the Corizonhealth.com domain, it needs to be sent from a corizonhealth.com address and be encrypted. DO NOT USE your DOC or county address to communicate with employees or the corporate office regarding any PHI. If you do so, corrective action, up to and including termination, may result.

91 Topic 3 Security Rule Conclusion Great job, Topic 3 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 91

92 Topic 4 Time to complete Topic Reporting/Enforcement Approximately 10 minutes

93 Objectives Upon completing this Topic, you should understand the following: How the HITECH Act of 2009 and the Final Omnibus Rule affect Corizon Health and its Employees What enforcement measures can be taken in the event our Employees run afoul of compliance. Because the exchange of health information is important for all health care providers and their patients, legislators are constantly looking for ways to modify and /or improve the rules surrounding such. The Final Omnibus Rule is one example of a recent legislative update which increased many of the duties a health care provider has with regard to information privacy and security. 93

94 Privacy and Security Violations Employees that fail to follow the Privacy and Security Policies and Procedures will be subject to appropriate disciplinary actions as set forth under HIPAA. In the event that an Employee believes that a Privacy and/or Security Policy and Procedure has been violated, the Employee should: Notify the Privacy or Security Officer immediately Assist the Privacy or Security Officer to take whatever steps are practicable to mitigate (minimize) the harm from the violation 94

95 Privacy and Security Violations Once an Employee has been appropriately trained, if that Employee violates a Privacy or Security policy, corrective action, up to and including termination, may be warranted. Further, if you witness a possible violation, you should report it immediately to the Privacy or Security Officer and cooperate in any investigation that takes place. Corizon has a zero-tolerance policy for retaliation. If you believe you are being retaliated against for cooperating in an investigation, you should report this to the Privacy Officer immediately. The duty each Corizon employee has to report potential privacy and/or security violations and/or incidents is critically important to maintaining compliance throughout our organization and its day to day operations.

96 HIPAA Enforcement: Key Facts DELEGATED AUTHORITY: On December 20, 2000, the Department of Health and Human Services secretary delegated the authority to administer and enforce the Privacy and Security Standards to the Office of Civil Rights (OCR). OCR ENFORCEMENT The OCR enforcement process is complaint driven and provides any individual who believes that a HIPAA Covered Entity is not complying with the HIPAA Rules the right to file a complaint. 96

97 HIPAA Enforcement: Key Facts HIPAA MANDATES: MONEY PENALTIES: HIPAA mandates strict civil and criminal penalties for violations of the Privacy and Security Standards. OCR has the power to assess civil money penalties against Corizon Health (a covered entity) if an Employee violates HIPAA. Specifically, OCR may assess civil monetary penalties against Corizon Health for up to $50,000 per violation and up to $1,500,000 each calendar year for identical violations which are not corrected. 97

98 HIPAA Enforcement: Key Facts CRIMINAL CHARGES: Criminal charges may be brought and enforced by the Department of Justice against Covered Entities or their employees (individually) if an offense is committed with intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm. Violators (covered entities and/or their individual employees) may be fined up to $250,000, imprisoned for up to 10 years, or both. 98

99 HITECH HITECH proposed several modifications to HIPAA, many of which were enacted into law through the Final Omnibus Rule, effective March 26,

100 Breach Notification Requirement What is a breach? Impermissible use or disclosure of (unsecured) PHI is assumed to be a breach unless the Covered Entity, or Business Associate, demonstrates a low probability that the PHI has been compromised based on a risk assessment.

101 Risk Assessment Requirement If you believe a "breach" occurred, you must contact the Privacy Officer IMMEDIATELY so that a risk assessment can be conducted. A Risk Assessment under the Final Rule requires consideration of at least these four factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.

102 IMPORTANT: You must report ANY suspected Violations You MUST report HIPAA violations: So they can be investigated, managed and documented So they can be prevented from happening again in the future So damages can be kept to a minimum To minimize your personal risk In some instances, management may have to notify affected parties of lost, stolen, or compromised data. If you are not sure if it should be reported, report it anyway!

103 Reporting Violations How do I report a Privacy or Security Violation? Start with your supervisor or site Super User to alert them to the possible issue the Privacy Officer at privacy@corizonhealth.com the Security Officer at security@corizonhealth.com

104 Quick Knowledge Check True or False - If you believe a breach involving PHI has occurred, you must contact the Privacy Officer immediately.

105 Knowledge Check Answer TRUE, in the event of a PHI Breach, you are required to notify the Privacy Officer IMMEDIATELY so that a Risk Assessment can be conducted. Risk Assessments are conducted by the Privacy Officer in collaboration with site leadership and are required after every "breach" incident.

106 Topic 4 Reporting/Enforcement Conclusion Great job, Topic 4 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 106

107 Topic 5 Time to complete Topic 5 Scenarios Approximately 10 minutes

108 Privacy and Security Violations (Scenario 1) A local state representative has been contacted by one of his constituents expressing concerns for their son s medical care while incarcerated and has called your site demanding a copy of the inmate s medical records and to speak with the treating provider. The appropriate action would be to send a copy over to the representative since he is a government employee. YES NO Correct Answer: No Without a properly executed, HIPAA compliant authorization signed by the inmate, the site may not release any information to the state representative, regardless of his position in the Legislature. 108

109 Privacy and Security Violations (Scenario 2) A terminally ill patient has recently died. During his incarceration, he was never visited by any family member nor had any contact with family. Upon his death, his daughter is now demanding a copy of his medical records. The daughter has provided no evidence that she is the personal representative of the estate. The appropriate action would be to provide the inmate s health record to the attorney. Correct Answer: No In order to provide a deceased patient s records to a family member, the family member must present documentation evidencing that they have been appointed personal representative of the estate. The HIPAA Privacy Rule protects the individually identifiable health information about a 109 decedent Corizon Health, for Inc. All 50 information years and photos following are confidential and proprietary. the date All rights reserved. of death of the patient. YES NO

110 Scenarios Behind Bars (Scenario 3) The mother of a MINOR inmate contacts medical and informs you of the following: She saw her son at a visit today, and he told her that he is not getting his medication and that we put him on medication he does not want to take. It is obvious that she is reporting accurate information. Can you discuss her son s healthcare with her because you realize that she has this information? YES NO Correct Answer: No The Employee must consult the Legal Department as to the policy governing disclosure of PHI to a Personal Representative of a minor. 110

111 Scenarios Behind Bars (Scenario 4) The mother of an ADULT inmate contacts medical and informs you of the following: She saw her son at a visit today and he told her that he is not getting his medication and that we put him on medication he does not want to take. It is obvious that she is reporting accurate information. Can you discuss her son s healthcare with her because you realize that she has this information? Correct Answer: No YES NO The mother needs to provide verification that she has been authorized / designated as the inmate s personal representative via a standard Corizon Health Authorization Form, prior to any PHI being released / discussed / disclosed. 111

112 Topic 5 Scenarios Conclusion Great job, Topic 5 is complete. Topic Title Topic # Time to Complete Overview 1 15 Minutes Privacy Rule 2 15 Minutes Security Rule 3 10 Minutes Reporting and Enforcement 4 10 Minutes Scenarios 5 10 Minutes Review Quiz Quiz 10 Minutes Total Time to Complete: 70 Minutes 112