HIPAA For Assisted Living WALA iii

Transcription

1 Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms... xi Chapter 1: Heading Into HIPAA... 1 A Brief Overview of HIPAA... 3 Whose Information Is Private?... 3 Why HIPAA Matters to Your Assisted Living Community... 4 What Is the Deadline for Compliance?... 5 Should I Just Hire a Consultant to Do All This?... 5 But my billing service takes care of all that!... 5 What If HIPAA Doesn t Apply to Your Community?... 6 Have a COW, Man!... 6 A Note About Legal Counsel... 7 Essential HIPAA Terminology... 7 Federal vs. State Law: When in Doubt, Do It the Hard Way... 7 The Privacy Rule and the Security Rule... 9 The Privacy Rule... 9 The Security Rule A Note About HITECH HIPAA FOR MANAGERS Chapter 2: The Privacy Officer and the Security Officer The Privacy Officer Privacy Officer qualifications Privacy Officer responsibilities The Security Officer Security Officer qualifications Security Officer responsibilities Duties of the Privacy Officer and Security Officer Training Monitoring and Audits Complaints and Security Incidents Investigation and Enforcement HIPAA: Not Your Only Responsibility Contingency Plans and Mitigation Retaliatory Acts Performing a Risk Assessment Creating a Culture of Compliance Helping Family Members Understand Sample Privacy Officer Job Description Sample Security Officer Job Description HIPAA Reminder Poster Sample Letter Informing Residents and Families of HIPAA Restrictions iii

2 Chapter 3: Resident Records What the Resident Record Contains The Resident Privacy Flow Sheet Making Entries in the Resident Record Bumps in the Log Correcting Errors in the Resident Record Resident Privacy Flow Sheet List of Approved Forms Chapter 4: Who Has Access to Protected Health Information? Employee Access to PHI Business Associates Access to PHI Exceptions to Minimum Necessary Standards Minimum Necessary Standards Chapter 5: Disclosing PHI TPO Disclosures Special PHI Approved resident restrictions Required Disclosures Permitted Disclosures Authorized Disclosures Expiration and revocation of authorizations Resolving conflicts Redisclosures Special PHI Recommendations on redisclosures Request to Restrict PHI Uses or Disclosures Form Form Letter to Attorney in Response to Subpoena Authorization for Use or Disclosure of Information Chapter 6: Residents Rights Right to a Notice of Privacy Practices Creating a Notice of Privacy Practices Distribution of the NPP Amending the NPP Right to Request Certain Restrictions on the Use and Disclosure of PHI Right to Request Access to PHI Fees for Resident Copies of Their Records Monitored access Denying a request for access to PHI Residents review rights PHI held at another facility Right to Request an Amendment of PHI Denying a request to amend PHI Right to an Accounting of PHI Disclosures Acknowledgment of Receipt of Notice of Privacy Practices Documentation of Good Faith Efforts Resident Request to Access PHI Form Decision for Resident Request to Access PHI from Privacy Officer Decision by Clinical Staff Designee on Denial of Access iv

3 Resident Request to Amend PHI Form Decision Regarding Resident Request to Amend PHI Resident Request for Accounting of PHI Disclosures Form Accounting of PHI Disclosures Report Form Chapter 7: Business Associates Who Is a Business Associate? Exceptions to the Business Associate Agreement Roster of Business Associates Business Associates Obligations Business Associate Agreement Accounting of Disclosures Breaches Business Associate Roster Letter Notifying Business Associates of Their Obligations Sample Business Associate Agreement Provisions Data Breach Notice from Business Associate MAKING HIPAA HAPPEN Chapter 8: Safeguarding Protected Health Information (PHI) Access and Storage Controls Malicious software Security incidents and emergencies Tips for Creating Strong Passwords Storage controls Removal and destruction of PHI Employee Safeguards Employee obligations Termination Communication Safeguards: Written Materials and Telephone Calls Resident directories Telephone calls Communication Safeguards: Fax Communication Safeguards: Communication Safeguards: Social Media Communication Safeguards: Texting Safeguards on Computers and Other Electronic Media Checkout/check in procedures Disposal Business Associate Safeguards Action Form Termination/PHI Access Keys/Passwords Checklist Fax Cover Sheet Personal Electronic Media Statement Chapter 9: Training HIPAA Training Other Resources A Note About HIPAA Training or Materials from Hired Contractors Be aware of misleading marketing claims HIPAA Training Quiz v

4 HIPAA Training Quiz Answers Acknowledgment of Completion of HIPAA Training HIPAA HICCUPS Chapter 10: Breaches What Does the Government Do to Ensure HIPAA Compliance? What Triggers a HIPAA Audit? What Does This Mean for My Assisted Living Community? What Is a Breach? What are some common ways breaches occur? What are the different types of HIPAA breach violations? Penalties for Breach Violations Your Responsibility to Report Breaches What is your responsibility in investigating an alleged breach? When to Notify Residents of Breach Violations How to Notify Residents of Breach Violations Timing Format Content Corrective Action Your Community Should Take After a HIPAA Breach Preparing for an OCR Investigation Sample Notification of Breach Violation Letter to Resident Other optional considerations: Chapter 11: Complaints How the OCR Responds to HIPAA Complaints How are Complaints Filed? Contact information for OCR Region V (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin) How Should You Respond to a Complaint? Chapter 12: Audits Who Gets Audited? What to Expect in the Event of an Audit Timeline Process How to Prepare for an Audit General Recommendations to Best Prepare to Respond to Breaches, Complaints, and Audits ADDITIONAL MATERIALS HIPAA for Assisted Living: Quick Reference Guide Glossary of HIPAA Related Terms Notes on Mental Health Records/Psychotherapy Notes Uses and disclosures of protected mental health information Individual rights granted by the privacy standard Enforcement and destruction of mental health records Note about psychotherapy notes Communicable Disease Records Under State Law vi

5 Drug and Alcohol Treatment Records Sample Disaster Recovery Plan Checklist for Determining Your HIPAA Compliance vii