Health Information Privacy and Security Including HIPAA and ...

Health Information Privacy and Security Including HIPAA and ...

1 Health Information Privacy and Security Maine Department of Health and Human Services 2 Contents Purposes for this Training Basics Best Practices Permitted Disclosures Breach Notification and Enforcement Research Summary Knowledge Check

3 Three Purposes for This Training 1. Legal and Regulatory Mandate The law requires education on privacy and security. It also requires the Department to have and enforce a Sanction Policy for failure to comply with our confidentiality policies. Compliance is MANDATORY. 2. Reinforcing a Culture of Compliance The Department is committed to ensuring compliance with federal and state requirements at every level of our operations. 3. Its the Right thing to Do We honor the confidentiality of our consumers confidential and sensitive information, just as we would want our own data to be honored and protected. 4 Basics: What Does HIPAA Protect?

The Health Insurance Portability and Accountability Act, or HIPAA, (and its update HITECH,) safeguard Protected Health Information or PHI. PHI essentially is identifiable information about an individuals physical or mental health, services rendered, or payment for services. It may be: verbal, such as a conversation between healthcare providers recorded on paper, such as in a medical chart or claims record kept or shared electronically 5 Basics: The Department Protects Different Types of Consumer Data

Our PROTECTED INFORMATION includes: Confidential information Protected Health Informatio n Restricted data Personal or Identifiable Health Information 6

Basics: Protected HIPAA/HITECH Identifiers Name s Addresses Full face photos Medical record number Account number Vehicle identifiers including license plate and serial

number Email address Dates of birth, death, admission, treatment, discharge. Telephone and fax numbers Device Identifiers including serial

number Biometric URLs and identifier IP s finger addresse and voice s prints Health plan beneficiary number/ID Certificat e License number

Social Security Number Geneti c history and test results Any other unique number, characteristi c or code 7

Basics: Hybrid Entity The Department is a hybrid entity from a HIPAA perspective. That means that the Department has activities that are considered HIPAAcovered and other activities that are not covered by the HIPAA Privacy and Security Rules. Click here to see the Departments Hybrid map. 8 Basics: Our Completely HIPAACovered Entities Healthcare providers and health

plans, including Medicaid, must comply with HIPAA, as well as with other applicable statutes, regulations and rules that govern health information privacy and security. The Departments completely HIPAA-covered entities are: Office of MaineCare Services Riverview Psychiatric Center Dorothea Dix Psychiatric Center 9 Basics: Our Partially HIPAA-Covered Entities The Centers for Disease Control and Prevention has several covered programs:

Public Health Nursing Health and Environmental Testing Lab (for human/clinical specimens) Most Office of Aging and Disability Services programs are HIPAA-covered, except for Adult Protective and Legal Services Office for Family Independence is covered for its work on behalf of OMS, but not for other programs such as ASPIRE, TANF, or its Child Support Enforcement efforts. 10 Basics: Additional HIPAA-Covered Components Other offices, programs or services that are HIPAA-covered by virtue of the oversight or

business functions performed in support of the Departments HIPAA Covered Entities include: The Commissioners Office The General Counsel and Director of Healthcare Privacy Division of Audit Fraud Constituent Services DAFS (Division of Administrative Financial Services)/Financial Service Center District Operations Accounting

District Operations Facilities Office of Administrative Hearings 11 Basics: Safeguard All Protected Information Even if your office or program is not HIPAA-covered, our workforce must treat Protected Information as confidential, based upon other laws, regulations, rules and Department policy. 12 Basics: Our Colleagues

Remember that some of our colleagues may be receiving Department services and must receive the same confidentiality protections as other consumers. 13 Best Practices: Safeguards HIPAA and HITECH requires safeguards to secure the integrity, confidentiality, and availability of PHI. These safeguards are common sense best practices. 14

Best Practices: Administrative Safeguards Administrative safeguards include: Privacy/Security Officials (such as the Director of Healthcare Privacy and our Privacy/ Security Liaisons) Policies and procedures Business Associate Agreement language Training and education 15 Best Practices: Physical Safeguards Physical safeguards relate to protections from natural,

environmental, and man-made hazards and may include: Using structural workstation protections like dividers and Plexiglas windows Turning computer screens and paper files away from the publics view Putting documents away in files and file cabinets Securing mobile devices containing the Departments confidential information 16 Best Practices: Technical Safeguards Technical safeguards include: Locking your computer when

you leave your desk Using strong passwords and not posting or sharing them Saving Protected Information to the appropriate network drive or encrypted device Not emailing Protected Information to your personal email address Not downloading programs unless approved by OIT (Office of Information Technology) Not clicking on unknown links received through email 17 Best Practices: Communication Methods

Fax Keep machine in a secure location. Include only the minimum necessary Protected Information in your coversheet. Dont leave faxes on the machine. Double check fax numbers before sending. Contact your Privacy/Security Liaison if your fax is received by the wrong party. Phone Speak in a low voice and in a private location when discussing Protected Information either on or off site. Email Avoid using Protected Information in the subject line. Use encryption wherever possible. Slow down and be careful about the auto-fill feature, so you dont accidentally send Protected Information to the wrong recipient! 18

Best Practices: Portable Devices Use encrypted devices. Physically protect devices on or off site. Keep Protected Information private and secure at home if you have permission to work outside the office or facility. 19 Best Practices: Portable Devices Never use your cell phone to photograph Department schedules or other documents. Never copy Protected Information onto a portable device without specific permission of your supervisor. Never leave your Department-issued laptop, cell phone,

electronic device or other Protected Information visible or unlocked in a vehicle. Never leave your passwords with your portable devices. Keep paper-based Protected Information separate from your electronic device(s) when traveling. 20 Best Practices: Portable Devices Consider your surroundings. Do not display Protected Information in cafs or other public settings. Contact immediately your Privacy/ Security Liaison if Protected Information is lost. This, and all privacy and security policies, apply to our entire workforce, including staff, students, interns, volunteers and contractors.

21 Best Practices: Policies and Education We are only as strong as our weakest link. Best practices call for strong policies, an understanding of those policies, and education on privacy and security issues impacting our work. A Department Intranet Privacy and Security Page is available for our workforce and is updated regularly. It includes our policies, forms, blog posts, and much more. Click on the link to view the webpage. 22

Best Practices: Maintaining a Culture of Compliance Along with complying with Department policies and using our forms, we can weave awareness of confidentiality through the work we do by: Putting up posters and including privacy and security topics on our meeting agendas Doing regular walk-through reviews of our offices Addressing confidentiality gaps Commending those who protect our consumer information Retaining documentation of all compliance efforts, including discussions at meeting and training for proof of efforts 23 Best Practices: Staying Informed Through the Privacy/Security Liaison Program

Local Workforce Director of Healthcare Privacy Office and Program Privacy/Security Liaisons District and Off-site Workforce The list of Privacy/Security Liaisons is located on the Departments Privacy/Security intranet webpage. Click here to review. 24 Best Practices or the Minimum Necessary Standard

Only access and use the minimum Protected Information necessary to do your job. Only disclose Protected Information that is specifically requested or that is required or permitted by law to be disclosed. Only access Protected Information when there is a workrelated need to know. Never access, copy, take or send Protected Information from the office - even if it involves you or your family - unless specifically authorized to do so by your supervisor. 25 Permitted Disclosures HIPAA: PHI May be Used and Disclosed for Treatment, Payment or Healthcare Operations (TPO) Treatment includes information used to provide or manage care and services to a patient or client, including referral to other providers, tests,

prescriptions, medical devices, and care coordination. Payment for a Provider includes information used to obtain payment for services including billing and collection activities. AND Healthcare Operations are certain Payment for a Health Plan includes administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run the program, plan, or healthcare entitys business, and to support the core information used to fulfill coverage

responsibilities including to authorize and provide benefits, conduct financial operations, process claims, and conduct utilization review activities. functions of treatment and payment. 26 Permitted Disclosures: HIPAA Additional Disclosures permitted by designated Department staff include: After first consulting with our General Counsel and Director of Healthcare Privacy, for judicial and administrative proceedings under specified circumstances

To a health oversight agency for oversight activities authorized by law such as licensing and compliance For research after receiving permission from a Department approved research board To comply with workers' compensation program requirements Where required by other laws For public health purposes including public health surveillance, investigations, and interventions

To report abuse or neglect After first consulting with our General Counsel and Director of Healthcare Privacy, to law enforcement officials pursuant to a valid court order, subpoena, or other legal mandate; to help identify and locate a suspect, fugitive, or missing person; to report or provide information related to a crime 27 Permitted Disclosures: By Authorization Form or Release Other than for TPO purposes or where permitted or required by law, uses and disclosures of Protected Information should be made only upon authorization

by the client or consumer. The Department has one Authorization Form (also called a Release of Information or ROI) that is located on both the Departments internet and intranet pages. Our workforce members and our consumers should be directed to use that form before we share Protected Information with third parties. 28 Breach Notification The Department is subject to the HIPAA/HITECH and Maine State Breach Notification laws. 29

Maine Breach Notification Law: Virtually every state has its own breach notification law. Maines law only applies to incidents involving electronic data. We must investigation incidents if there is even a possibility of a breach. 30 Breach Notification: Reporting Concerns or Incidents All security or privacy concerns or incidents must be reported to The Director of

Healthcare Privacy Your Privacy/Security Liaison Please report verbally wherever possible, to reduce the potential of alarm. Not all incidents amount to a breach! 31 Breach of Protected Information Its Personal! The Department handles the most sensitive health and financial information imaginable. Any of us can be, or may have been, subject to identity theft due to a breach of Protected Information. Imagine having to address, or try to undo, the impact of a breach of health or financial data. It is time consuming, stressful, and may not be effective.

Your role in keeping Protected Information secure is vital and personal. 32 Breach Notification - Process Whether or not you work for a HIPAA-covered office or program, you are required to contact your Privacy/Security Liaison and Director of Healthcare Privacy if you are aware of, or suspect, a privacy or security incident. Our agreements should include language requiring vendors to contact the Department within 24 hours in the event of an actual or suspected breach of our Protected Information. Direct any questions to the Director of

Healthcare Privacy. Investigation and documentation will be managed centrally with office/program cooperation. Every incident is not a breach. Scenarios are reviewed case by case.

Breach Notification is now included in the Notice of Privacy Practices provided by our HIPAA-Covered Entities. No retaliation for good faith reporting is permitted. 33 Breach Notification: Department Obligations in the Event of a Breach Include: Where 500 or more consumers are impacted, notice by letter and media must be provided within 60

days. Notice may be delayed by law enforcement request, so as not to impede an investigation. Where 1000 or more consumers are impacted, Maine adds additional reporting requirements to state regulators. The burden is on the Department to show thorough investigation to support our decisions. 34

Breach Notification: In the News The Wall of Shame is the nickname for the Federal DHHS Office of Civil Rights webpage where HIPAA-covered entities are required to report breaches of individuals unsecured PHI impacting 500 or more individuals. The breaches are posted for public viewing and are searchable. Most breaches are caused by a loss or theft of a laptop or portable devices. Paper continues to be a risk as well. 35 Enforcement: Penalties Under HITECH What could happen if there were a HIPAA/HITECH breach or violation?

A maximum Civil Monetary Penalty amount of up to $1.5 million for multiple violations of the same provision. Criminal conviction and jail terms Unknowing and with reasonable cause up to one year Under false pretenses up to 5 years For personal gain or malicious reasons up to 10 years 36 Research Requests The Department is required to meet research compliance standards. As part of those requirements, the Department works with the University of Southern

Maines Institutional Review Board (IRB) to review any research requests. 37 Research The Departments process for conducting or providing Protected Information for research may be viewed here. After a review by the IRB, if the Department agrees to share Protected Information or provide de-identified information with a researcher, a Data Sharing

and Protection Agreement must be signed and maintained centrally. Please contact the Director of Healthcare Privacy, who also serves as the Human Protections Administrator, with any questions. 38 Summary: Remember Never: Forward work email containing Protected Information to your home/offsite address. Leave unsecured Protected Information in a car or other non-work location. Secure Protected Information is appropriately encrypted or destroyed to

make it unusable or unreadable to others. 39 Summary: Remember Always: Use the minimum necessary information to accomplish your work. Only access Protected Information on a need-to-know basis. Immediately report lost or stolen consumer records or devices containing Protected Information including flash drives, smart phones, or computers. Review correspondence or documents before sending. Look for mistakes involving Protected Information, such as sharing more information than necessary, attaching the wrong document to an email, mail merge errors, hidden columns in a spread sheet, or incorrect postal or email addresses.

40 Summary: Confidentiality Basics Even if your office or program is not HIPAA-covered, all Department workforce members must treat Protected Information as confidential based upon other laws, regulations, rules, and Department policy. 41 Summary: Our Responsibility The responsibility for protecting and securing the Protected Information we access, use,

disclose, transmit, or maintain to do our jobs belongs to each of us. 42 Knowledge Check: True or False Q: The minimum necessary/need-to-know standard only applies to the Departments HIPAA-covered entities. A: False. Department Policy requires that our entire workforce, including staff, contractors, volunteers and students, use only the minimum Protected Information necessary to accomplish our jobs, and only view the Protected Information that we need for a legitimate work purpose.

43 Knowledge Check: True or False Q: If you are presented with a warrant or a subpoena, you should immediately provide the information requested by the attorney or law enforcement officer. A: False. You should immediately contact the General Counsel or the Director of Healthcare Privacy, because the demand may not be valid. 44 Knowledge Check: True or False

Q: Identifiers such as vehicle license numbers, URLs and thumb prints are considered HIPAA Identifiers. A: True! There are numerous identifiers beyond the name, address, phone and account numbers that may identify the consumer. We need to keep them all confidential. 45 Knowledge Check: True or False Q: If you know of, or suspect, a privacy or security incident involving the Departments Protected Information, should speak with your Privacy/Security Liaison and the

Director of Healthcare Privacy right away. A: True! Contact your Privacy/Security Liaison and the Director of Healthcare Privacy immediately. Your assistance is required by Department policy! 46 Knowledge Check: True or False Q: If, in good faith, you make a report of a privacy or security issue, you may be in trouble if an investigation finds no concerns. False! There is no retaliation permitted for a good faith report, even if no breach is found to have occurred. 47

Questions? Director of Healthcare Privacy and Human Protections Administrator 207.287.9362 [email protected] Resources DHHS Employee Information Center Policies Posters 48 Credit

Get credit Please click on the above link to submit a completion form and get credit for reviewing this program.

Recently Viewed Presentations

  • Ch. 3

    Ch. 3

    It's the place where your visual acuity (sharpness) is highest. The Optic nerve is a bundle of fibers that transmit incoming visual signals to the brain. It consists of axons that exit the eye at a spot known as the...
  • Combating Aids & Famine Across Africa  2014 Brain

    Combating Aids & Famine Across Africa 2014 Brain

    Standards. SS7CG3 . The student will analyze how politics in Africa impacts standard of living. b. Describe the impact of government stability on the distribution of resources to combat AIDS and famine across Africa.
  • Respiratory Training Kit - Washington

    Respiratory Training Kit - Washington

    Respiratory Protection- supplied air respirators Training on the use of respirators in the workplace - module 3 Developed by the Division of Occupational Safety & Health (DOSH) for employee training June, 2009 * "It is not enough just to slap...
  • The Short Analytical Response - Katy ISD

    The Short Analytical Response - Katy ISD

    The Short Analytical Response. What is a SAR? SAR=Short Answer Response . A SAR . directly answers a question, provides text evidence to prove the point, and. includes connecting commentary that explains how the text evidence supports the assertion. ......
  • TimeClock Plus Full Time Faculty Biggest Changes:  All

    TimeClock Plus Full Time Faculty Biggest Changes: All

    Use the Computer for requesting leave. Use the Computer for reviewing and verifying timecards. Faculty please review your absences when requesting leave for accurate payroll processing. Become familiar with the software so that it can be utilized to the best...
  • Stress As an Occupational Hazard

    Stress As an Occupational Hazard

    arial garamond times new roman wingdings teamwork stress as an occupational hazard the obligation to provide a safe place of work when exposed to trauma trauma - the nz case the danger of not filling vacancies duty to communicate the...
  • Chemical Pathways -

    Chemical Pathways -

    Chemical Pathways When you are hungry, how do you feel? ... the word respiration is often used as a synonym for breathing This is why we have used the term cellular respiration to refer to energy-releasing pathways within the cell...
  • Infrared Spectroscopy and Mass Spectroscopy

    Infrared Spectroscopy and Mass Spectroscopy

    Stretching Frequencies Frequency decreases with increasing atomic weight. Frequency increases with increasing bond energy. => Vibrational Modes Nonlinear molecule with n atoms usually has 3n - 6 fundamental vibrational modes.