COMPLIANCE DEPARTMENT LSUHSC-S Louisiana State University Health Sciences Center Shreveport ACKNOWLEDGEMENT RECEIPT for COMPLIANCE, HIPAA PRIVACY, AND INFORMATION SECURITY SELF-STUDY GUIDE I hereby certify that I have received the LSUHSC-S Compliance, HIPAA Privacy, and Security Self-Study Basic Training Guide. I understand that I will be accountable for the information contained therein. I also understand that this acknowledgement will be maintained as a record of my participation in the Compliance and HIPAA training program and may be reviewed by the Federal Government. PRINT NAME: DEPARTMENT: EMPLOYEE ID #: DATE: SIGNATURE: FOR OFFICE USE ONLY Original 4/1/03 Revision 1/22/07, 1/08/09, 1/21/16
COMPLIANCE, HIPAA PRIVACY, AND INFORMATION SECURITY SELF-STUDY GUIDE Education about HIPAA and LSUHSC-S s policies and procedures related to complying with HIPAA is required by law. All facility employees of LSUHSC clinics and LSUHSC School of Medicine, who are under the direction of the North Louisiana Chancellor, are required to complete this module and be familiar with related policies. All campuses and facilities will be designated as LSUHSC-S for purposes of HIPAA. 1
What is HIPAA? In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual's health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or Personal Health Information (PHI). Why is HIPAA necessary? HIPAA was passed by Congress in response to growing concerns that technological advances and the increasingly complex manner in which health care services were delivered and coordinated were resulting in, or could result in, risks to the privacy of an individual s health information maintained by health care providers, health plans, and their various business associates. State statutes existed; however, few provided comprehensive, reliable standards and even fewer made it clear as to what patients rights were to access information in their own medical records. Objective of HIPAA Gives patients control over the use of their health information Defines boundaries for the use/disclosure of health records by covered entities Establishes national-level standards that healthcare providers must comply with Helps to limit the use of PHI and minimizes chances of its inappropriate disclosure Strictly investigates compliance-related issues and holds violators accountable with civil or criminal penalties for violating the privacy of an individual's PHI Supports the cause of disclosing PHI without individual consent for individual healthcare needs, public benefit, and national interests What is a Covered Entity? A Covered Entity is a health care provider, health care clearinghouse, or health plan, which transmits PHI electronically in connection with a transaction. All of LSUHSC-Shreveport facilities are part of the LSUHSC-S covered entity and for purposes of HIPAA are designated as LSUHSC-S. 2
What is a Business Associate? A Business Associate is a person or entity that performs certain functions or activities on behalf of an entity or provides certain services to an entity that involves the use or disclosure of PHI. Examples are document shredding services and physician billing companies. What does disclosure mean? Disclosure means the release, transfer, provision of, access to, or the divulgence of patient information in any manner outside of the covered facility. What is a Notice of Privacy Practices? The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, to prompt them to have discussions with their health plans and health care providers, and exercise their rights. Covered entities are required to provide a notice in plain language that describes: How the covered entity may use and disclose protected health information about an individual. The individual s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity. The covered entity s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. Whom individuals can contact for further information about the covered entity s privacy policies. The Notice of Privacy Practices must be given to each patient and must be posted at each provider site. Except in an emergency treatment situation, LSUHSC-S employees must make a good faith effort to obtain the individual s written acknowledgment of receipt of the privacy notice. If an acknowledgment cannot be obtained, the representative must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained. 3
What is Protected Health Information? Any individually identifiable health information transmitted or maintained by a covered entity used or disclosed for treatment, payment, or operations. It also includes all electronic, written, and verbal patient information. There are 18 identifying date elements listed in HIPAA regulations. PHI Data Elements Names All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people All elements of dates, except year, and all ages over 89 or elements indicative of such age Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate or license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) addresses Biometric identifiers, including finger and voice prints Full face photographs and any comparable images Any other unique, identifying number, characteristic, or code, except as permitted for reidentification in the Privacy Rule What is not considered PHI? Health information is not protected health information if it is de-identified. Deidentified information may be used without restriction and without patient authorization. If the resulting information cannot be used to identify the individual, then it is no longer PHI. 4
What patient information must we protect? We must protect all PHI including, but not limited to, medical records, diagnoses, x-rays, photos and images, recordings, prescriptions, specimens, lab work and other test results, billing records, claim data, referral authorizations, and explanation of benefits. Clinical research records of patient care must also be protected. Who is authorized to access confidential PHI? PHI may be accessed without patient consent under certain circumstances and for certain purposes. Three of these purposes Treatment, Payment and health care Operations (TPO) are the most common: T Treatment (A physician can call his or her colleague in another specialty to get the colleague s input on the care being provided). P Payment (A physician s staff can submit a bill to the individual s insurance company to obtain payment for the services provided). O Operations (A physician s compliance staff can access the individual s PHI to conduct an assessment of the physician s coding and documentation practices). What is the minimum necessary standard? HIPAA covered entities must make reasonable efforts to limit their use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. It is up to the covered entity rather than patient to determine what minimum necessary means. Also, there are some situations to which the minimum necessary standard does not apply. For example, it doesn t apply to information disclosed in connection with treatment or when a patient authorizes a use or disclosure of information. For more information on the minimum necessary standard, see 45 CFR 164.502(b) and 45 CFR 164. 514(d). When are written patient authorizations required? To use or disclose PHI for almost any reason other than T-P-O, including research and fundraising, you will need to obtain a written authorization from the patient prior to access, use, or disclosure. For releases from the medical record, the signed authorization must be placed in the patient s medical record. 5
Psychotherapy notes require special handling and authorizations. All requests for psychotherapy notes must be routed to the appropriate medical records department. PHI may be used for research, fundraising, public information, or health care communications, but special rules apply. Why do I need to know this information? All reasonable efforts must be made to disclose no more than the minimum necessary information about a patient than is needed to accomplish the intended purpose. Staff access to PHI is based on specific job duties and roles. What are some things I can do to protect our patients privacy? Access only information you need to do your job Treat all information as if it were about you or your family Limit discussions at bedside (use good judgment) Do not discuss confidential patient information in elevators, hallways, the cafeteria, restrooms, etc. Do not discuss patients with your family, friends, or other employees in the hospital that are not directly involved in the patient s treatment, payment, and operations Do not access or share patient information about your family members, your friends, or any other person unless it is needed to do your job Access only those computer systems you are officially authorized to access Do not leave charts, schedules, or computer screens containing patient information in plain view Do not share passwords Do not allow others to read over your shoulders Do not allow visitors or patients in staff areas, dictating rooms, chart storage areas, etc. Do not hold telephone conversations or conduct dictation in areas where confidential patient information can be overheard Shred PHI before discarding Call out only the patient s name in a waiting room 6
What rights do patients have under the HIPAA Privacy Regulations? Patients rights under HIPAA are described in the Notice of Privacy Practices. The notice is made available to patients in many settings. These rights include: Right to Receive the Notice of Privacy Practices Right of Access to Paper or Electronic Copies Right to Request an Amendment or Addendum Right to an Accounting of Disclosures Right to Request Restrictions Right to Request Confidential Communications Right to Complain What are the penalties under HIPAA? Civil Penalties: HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due to reasonable cause and not due to willful neglect HIPAA violation due to willful neglect but violation is corrected within the required time period $100 per violation, with an annual maximum of $25,000 for repeat violations $1,000 per violation, with an annual maximum of $100,000 for repeat violations $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million ***The Secretary of the Department of Health and Human Services is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended). 7
Criminal Penalties: Simple Disclosure: fines up to $50,000 and/or up to 1 year in prison Disclosure under False Pretenses: fines up to $100,000 and/or up to 5 years in prison Disclosure with intent to sell or use: fines up to $250,000 and/or up to 10 years in prison HIPAA Information Security If your job duties require that you access the LSUHSC-S network or any hospital computer system, you will also be required to complete online HIPAA training. Even though you may not need access to the computer network to do your job, you still play an important role in the security of LSUHSC-S. Things you should not do: Look over the shoulders of people working at computers. Hold open the door to a secure area (like computer services) for someone you don t know. Try to hack or otherwise gain access to the network. Assist anyone who is trying to hack the network. Help anyone who asks you to find their password. Surf the internet with an unused computer. Some websites carry viruses that can disable the network. It also ties up network resources others need to do their jobs. Bring a computer from home and plug it into the network. 8
Things you should do: Always keep keys, access cards, and other security items in your possession. Never loan them out to anyone. If you wish to be helpful to someone who does not have access to a secure area, escort him or her to someone within the secure area who can assist him or her in his or her needs. If you see an unattended computer with data displayed, bring it to the attention of the supervisor of that area. If a printout is left unattended on a printer or copier, bring it to the attention of the supervisor of that area. If you see someone you do not recognize using a computer or loitering around a computer, ask them politely if you can help them and escort them to someone who can make sure they get what they need. If they do not cooperate, notify campus police and your help desk. By following these simple rules, you are helping to ensure that the data of our faculty, staff, patients, and students is kept secure and confidential. Where can I find LSUHSC-S s HIPAA Policies? http://myhsc.lsuhscshreveport.edu/compliance/compliance.aspx Compliance The False Claims Act: 31 U.S.C. Sections 3729 through 3730 The statute begins, in 3729(a), by explaining the conduct that creates False Claims Act (FCA) liability. The FCA imposes liability on any person who submits a claim to the federal government that he or she knows (or should know) is false. An example may be a physician who submits a bill to Medicare for medical services she knows she has not provided. The FCA also imposes liability on an individual who may knowingly submit a false record in order to obtain payment from the government. An example of this may include a government contractor who submits records that he knows (or should know) are false and that indicates compliance with certain contractual or regulatory requirements. 9
The third area of liability includes those instances in which someone may obtain money from the federal government to which he may not be entitled and then uses false statements or records in order to retain the money. An example of this so-called reverse false claim may include a hospital that obtains interim payments from Medicare throughout the year, and then knowingly files a false cost report at the end of the year in order to avoid making a refund to the Medicare program. The terms "know(s)" and "knowingly" mean that a person, with respect to information (1) has actual knowledge of the information; (2) acts in deliberate ignorance of the truth or falsity of the information; or (3) acts in reckless disregard of the truth or falsity of the information, and no proof of specific intent to defraud is required. Civil Penalties under the False Claims Act Violators of the FCA is liable to the United States Government for a civil penalty of not less than $5,000 and not more than $10,000, (those amounts are adjusted from time to time; the current amounts are $5,500 to $11,000) plus 3 times the amount of damages which the Government sustains because of the act of that person. Federal Whistleblower The FCA provides that private parties may bring an action on behalf of the United States, 31 U.S.C. 3730 (b). These private parties, known as qui tam relators, may share in a percentage of the proceeds from an FCA action or settlement. Section 3730(d)(1) of the FCA provides, with some exceptions, that a qui tam relator, when the Government has intervened in the lawsuit, shall receive at least 15 percent but not more than 25 percent of the proceeds of the FCA action depending upon the extent to which the relator substantially contributed to the prosecution of the action. When the Government does not intervene, section 3730(d)(2) provides that the relator shall receive an amount that the court decides is reasonable and shall be not less than 25 percent and not more than 30 percent. Federal Whistleblower Protection Under Section 3730(h) of the FCA, any employee who is discharged, demoted, harassed, or otherwise discriminated against because of lawful acts by the employee in furtherance of an action under the Act is entitled to all relief necessary to make the employee whole. Such relief may include: Reinstatement Double back pay Compensation for any special damages including litigation costs and reasonable attorneys' fees 10
Louisiana State Law RS 46:437.3 through RS 46:440.3 Under Louisiana state law, the definition of a false or fraudulent claim is slightly broader, LSA R.S. 46.437.--, 8 False or fraudulent claim" means a claim which the health care provider or his billing agent submits knowing the claim to be false, fictitious, untrue, or misleading in regard to any material information. The terms know(s) and knowingly mean that the person has actual knowledge of the information or acts in deliberate ignorance or reckless disregard of the truth or falsity of the information. State Whistleblower Just as with the federal whistleblower statute, under Louisiana state law, A private person may institute a civil action in the courts of this state on behalf of the medical assistance programs and himself to seek recovery for the violation. The institutor shall be known as a "qui tam plaintiff" and the civil action shall be known as a "qui tam action". Generally, if the secretary or the attorney general intervenes in the action brought by a qui tam plaintiff, the qui tam plaintiff shall receive at least ten percent, but not more than twenty percent, of recovery, exclusive of the civil monetary penalty provided in R.S. 46:439.6(C). In making a determination of award to the qui tam plaintiff, the court shall consider the extent to which the qui tam plaintiff substantially contributed to investigations and proceedings related to the qui tam action. A person who is or was a public employee or public official or a person who is or was acting on behalf of the state shall not bring a qui tam action if one of the following: The person has or had a duty or obligation to report, investigate, or pursue allegations of wrongdoing or misconduct by healthcare providers. The person had access to the records of the state through the normal course and scope of his employment relative to activities of healthcare providers. State Whistleblower Protection No employee shall be discharged, demoted, suspended, threatened, harassed, or discriminated against in any manner in the terms and conditions of his employment because of any lawful act engaged in by the employee or on behalf of the employee in furtherance of any action taken pursuant to this Part in regard to a health care provider or other person from whom recovery is or could be sought. Such an employee may seek any and all relief for his injury to which he is entitled under state or federal law. No individual shall be threatened, harassed, or discriminated against in any manner by a health care provider or other person because of any lawful act engaged in by the individual or on behalf of the individual in furtherance of any action taken pursuant to this Part in regard to a health care provider or 11
other person from whom recovery is or could be sought except that a health care provider may arrange for a recipient to receive goods, services, or supplies from another health care provider if the recipient agrees and the arrangement is approved by the secretary. Such an individual may seek any and all relief for his injury to which he is entitled under state or federal law. An employee of a private entity may bring his action for relief against his employer or the health care provider in the same court as the action or actions were brought pursuant to this Part or as part of an action brought pursuant to this Part. A qui tam plaintiff shall not be entitled to recovery pursuant to this Section if the court finds that the qui tam plaintiff instituted or proceeded with an action that was frivolous, vexatious, or harassing part of an action brought pursuant to this Part. Rewards for Fraud and Abuse Information State law provides that there may be a reward of up to two thousand dollars to an individual who submits information to the secretary which results in recovery pursuant to the provisions of this Part, provided such individual is not himself subject to recovery under this Part. It is every employee s responsibility to report suspected violations of the laws, regulations and policies, or other questionable conduct. Fraud Hurts Everyone! 12