Revised January

Transcription

1 Revised January

2 Copyright and Trade Secret Warning All Rights Reserved. This training presentation contains confidential and proprietary trade secrets of and copyrights belonging to RadNet Management, Inc., its subsidiaries, and/or affiliates (collectively, "RadNet"). This training i presentation ti may only be used by a RadNet Center, RadNet's representatives or upon the express written permission of RadNet, and may not be reproduced in any media, either in whole or in part. Any reproduction of these documents, in whole or in part, or any use of these documents, other than as directed or agreed upon in writing by RadNet, is strictly tl prohibited and constitutes t a violation of law. 2

3 If you have questions as you review this training module, please talk to your facility manager or their designated d representative. If you need further assistance, please contact t your Regional Quality Assurance Specialist. West Coast: Carol Meena East Coast: April Dickerson

4 HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in The HIPAA Privacy Rule regulates the use and disclosure (sharing) of protected health information (PHI) and electronic protected health information (ephi). The regulations are designed to protect the privacy of each patient s medical records and thereby reduce instances of medical identity theft. 4

5 HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act. HITECH was enacted by Congress as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology. The government firmly believes in the benefits of using electronic health records and has invested federal resources to proliferate the use of electronic health records (EHR). 5

6 Our Business Associates are people or companies that perform certain functions for RadNet that involve the intentional sharing (disclosure) of protected health information (PHI) in order to conduct business with each other. Examples of Business Associates include, but are not limited to, transcription companies, billing companies, insurance companies, collection agencies, software companies, etc. We must have Business Associate Agreements (confidentiality agreements) in place to protect the patient information we share. 6

7 As an employee of RadNet, you are required to sign an Employee Confidentiality Agreement stating that you understand it is your responsibility to keep the PHI of each patient secure and confidential at all times from unauthorized or inadvertent access and from corruption or destruction by an unauthorized person. A Vendor Confidentiality Agreement is used for vendors who come on-site or access RadNet information. It states that the vendor understands the information they may see is highly confidential and cannot be further disclosed. A Non-Disclosure Agreement is required whenever providing any proprietary business information to an external organization that might engage RadNet for services or information. For example: to scope a project, for evidence that policies and procedures are in place, or as part of due diligence efforts. 7

8 The Privacy Rule describes how we can Use and Disclose protected health information (PHI). Use is when we share patient information within RadNet. Disclosure is when we share patient information to a person or company outside of RadNet. There are very specific rules about the Use and Disclosure of PHI of PHI. 8

9 RadNet and our affiliated healthcare businesses are covered by the HIPAA and HITECH laws and standards. Individual employees, as well as the Company, can be held accountable for HIPAA or HITECH violations. 9

10 Healthcare organizations must have in place and apply appropriate sanctions against employees who fail to comply with privacy policies and procedures. The organization may not take action against a patient for exercising his or her privacy rights. 10

11 Employees who violate RadNet policies regarding the privacy and security of confidential, restricted, or protected health information are subject to corrective and disciplinary actions according to existing policies. Actions taken could include: Termination of employment. Possible further legal l action. Violation of local, State and Federal laws may carry additional consequences of prosecution under the law, costs of litigation, payment of damages, or all. Knowing, malicious intent = Penalties, fines, jail! 11

12 The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. A breach may either be intentional or accidental. Either way, we must take action to correct the breach. Such actions are explained later in this training. 12

13 Stolen/lost computer, flash drive or other electronic media containing unsecured PHI. Lost papers or films containing i PHI. Misdirected or patient record. Explanation of Benefits sent to wrong guarantor. Misfiled patient information in another patient s record which is brought to our attention by the patient. Medical records lost in the mail and never received. Misdirected fax. Employee accesses records of a celebrity, relative, friend or coworker out of curiosity without a necessary business related purpose (snooping). 13

14 RadNet employees may access patient information for authorized business purposes only. Accessing information for any reason that is not an authorized and necessary business purpose is considered snooping. Snooping is considered a breach and a criminal offense and is punishable by law. RadNet takes snooping VERY SERIOUSLY. 14

15 Penalties can be assessed against the Company. Penalties can also be assessed against an individual id employee for causing the breach. For your own protection ti and to avoid sanctions and penalties, every employee is urged to be very careful when handling PHI. Be careful with papers, films, CDs, faxes, s, electronic information, and even your conversations involving protected health information. 15

16 Penalties are based on the organization s responsibility for the HIPAA violation and are determined by the nature and extent t of both the violation and the harm caused by it. Violation Amount per Violation Repeat Violation in Same Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 16

17 How RadNet Protects PHI RadNet continuously reviews and updates electronic security measures to help protect PHI. IT policies and procedures can be reviewed in the RadNet HIPAA/HITECH Information Security Policy & Procedure Manual. HIPAA policies can also be reviewed in the RadNet Corporate Compliance Manual. 17

18 1. User ID: Use only unique usernames (not a shared account) 2. Passwords: Don t share passwords, access codes, proxycards. Change passwords at least every 90 days. Create strong passwords or passphrases. 3. Workstation Security: Log off or lock <ctr-alt-del> when you leave. 4. Portable Device Security: Lock it up and use encryption. 5. Data Management: Save critical or sensitive data only on network drives. 6. Remote Access: Use a Virtual Private Network. 7. Recycle Electronic Media & Computers: Reformat or remove/destroy hard drives and media. 8. and File Sharing: Encrypt all PHI sent via e- mail. Don t share PHI on cloud storage. 9. Safe Internet Use: Report unfiltered Internet access. 10.Physical Access: Don t give unauthorized access to secure areas. 11.Report Security Incidents: All potential issues reported to security@radnet.com. 18

19 Control Access: Do not share your unique User Name/ User ID or application access. Only access the minimum information needed to do your job. Remember that user access to information systems is logged and audited for inappropriate access or use. 19

20 Protect your Password: Never share your password protect it the same as you would the key to your residence. After all, it is a key to your identity. Log out when you are done so others do not access information under your name and password. If they access inappropriate information, you will be identified as the user. Never set a web browser to remember your password. Public or shared computers allow others access to your password. 20

21 Workstations include any electronic computing device such as a laptop or desktop computer. Portable devices, including tablets and smart phones that have similar computing functionality, must also adhere to RadNet s security standards. Physical Security Measures include: Disaster Recovery Controls Physical Access Controls Device & Media Controls 21

22 Administrative, technical and physical safeguards for PHI: Requires entities to secure the confidentiality, integrity and availability of any PHI they create, receive, maintain or transmit. Supports the Privacy Rule s mandates for proper use and disclosure of PHI. Requires entities to identify and protect against anticipated threats and ensure workforce compliance threats and ensure workforce compliance. Includes 22 standards and 50 implementation specifications. 22

23 Administrative Safeguards: Follow our Compliance and IT Department t policies i and procedures for handling PHI. Physical Safeguards: Secure workstations, portable devices and electronic media with passwords and locks. Ensure secure transfer, removal, disposal and re-use of devices and files that contain PHI. Technical Safeguards: Encrypt PHI before transmitting and storing it. Follow required audit controls. Comply with policies for accessing, altering and destroying PHI. 23

24 Charts Databases Desktop/Laptop Backup Drives and files Computers and Discs Conversations Imaging Equipment Flash Drives Tablets & Phones 24

25 All portable devices (laptops, tablets, cell phones, flash drives, memory cards, etc.) must be stored in a secure location. They must be password protected and encrypted if they contain highly sensitive or confidential data. Never affix your User ID or Password to the device. Never leave a portable device unattended or unsecured and safeguard them when you transport them. If your portable device is lost or stolen, report it immediately to the Compliance and Quality Assurance Department. 25

26 1. Lax Information Security Files left open for others to see. Shared passwords. Inappropriate use of portable media devices. Lost or stolen patient files, hard drives, computers. Hacking of systems from external threats. 26

27 2. Insider Threats Employees, competitors or vendors who seek to obtain PHI for selfish reasons, such as: Commercial advantage Personal gain Malicious harm 27

28 3. Social Engineering Traps Phishing and other electronic attacks that trick people into revealing PHI. Individuals who pose as an authorized source in order to trick people into disclosing PHI. A scammer who pretends to be an insurance representative over the phone. A criminal posting as a vendor during an on-site visit. Hacking of systems from outside threats. 28

29 29

30 All breaches of patient information must be reported and investigated by the facility manager to determine What was breached; Who it was breached to; and How it was breached. The breach notification final rule requires us to determine the risk of compromise to a patient rather than potential harm to a patient when their information is breached. Actions must be taken to resolve the breach, such as getting g the breached information back or making sure it has been permanently destroyed. 30

31 To determine whether there is a low probability that PHI has been compromised, we must conduct a risk assessment that considers at least each of the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re- identification. The unauthorized person who used or received the PHI. Whether the PHI was physically acquired or just viewed. The extent to which the risk to the PHI has been mitigated (did we get it back or was it permanently destroyed). d) 31

32 Healthcare providers still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach thereby triggering notification requirements if the PHI disclosed is "unsecured. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the secretary through published guidance. In other words, if it s encrypted and the person can t view it, it s not a breach. 32

33 33

34 ALL Breaches shall be reported to the QA Department immediately upon discovery. Document whose information was breached. Document who the information was breached to. Include copies of exactly what was breached when you submit the report (except films or image CDs). The QA Department will assist facility managers when patient notification is required. Do not notify the patient unless the QA Dept directs you to do so. 34

35 Breach incidents are reported online at Login to QA Tracker Incident Reporting Click on Create Breach Incident Report Detailed instructions are available in RadNet s Incident Report Training 35

36 Healthcare providers must sometimes provide notice to: Individuals; The media (if the breach affects more than 500 residents of a state or smaller jurisdiction); and The Department of Health and Human Services HHS (if the breach affects more than 500 individuals, regardless of location). Business associates must also provide notice no later than 60 days after the discovery of a breach of unsecured PHI. Do not provide Notice unless you are advised to do so by the Quality Assurance Department. 36

37 Sometimes the patient will file a complaint with the Board of Physicians, Office of Inspector General or other government agency. Notify your manager and the Quality Assurance Department right away if you receive notice of a breach complaint from an agency. We are typically required to provide a written response to these types of breach investigations. There is usually a specified time frame, so report this right away. The QA Dept. will assist in preparing these responses. 37

38 Once a breach is investigated to determine who was breached, who received the breached information, exactly what was breached, and how it was breached, it is important to implement a corrective action plan. Corrective action includes: Contact the person who received the breach and either collect the information back or have the person sign an Attestation of Destruction verifying the information was permanently destroyed by cross-shredding. Counsel the employee who caused the breach and provide training on their error. Document all of this in the online Breach Report. 38

39 39

40 Employees must be extremely careful when releasing medical records. Careless mistakes are not acceptable. There is no excuse for providing the wrong medical records to a patient or a provider. 40

41 Ensure the intended recipient is actually entitled to receive the medical records that were requested. Obtain a properly documented Medical Records Release Form NOTE: We are required by law to keep a record of all disclosures of patient information. 41

42 42

43 Ensure the intended recipient is actually entitled to receive the medical records that were requested. Obtain a properly documented Medical Records Release Form We are required by law to keep a record of all disclosures of patient information. The patient must provide written permission to mail medical records to an authorized representative. 43

44 Check photo ID We must be sure we are dealing with the patient t or their authorized representative ti They can fax or it to you. If you obtain the Release Form via or fax, check the signature against photo ID or previously archived RIS documents We must be sure the actual patient authorized the mailing of their records. If you engage in correspondence to collect this document, follow the Correspondence With Patients Policy. 44

45 Carefully check the name and address of the intended recipient i on the envelope. Many names are similar; Make sure you have the correct name for the intended d recipient i on the envelope. Make sure the address on the envelope matches the correct address of the intended recipient. 45

46 Double check the contents of the envelope before sealing it. Make sure the contents belong to the intended recipient. Check all pages to make sure records of another patient t are not mistakenly included in the envelope. Especially check billing invoices i to ensure only one patient t is included on the invoice. 46

47 Check what shows through the envelope window if using this type of envelope. Make sure protected health information (besides the patient s t name and address) ) is not showing through the view window. 47

48 When doing mass mailings, do a small test run to ensure the system is performing properly. Always check a sample of the mailings for the accuracy of name and address and the correct contents t before sending the batch. 48

49 49

50 Confirm the fax number if it is one that is not regularly used or is not programmed into the RIS. Carefully check the fax number to ensure it is correct for the intended recipient. When manually entering the number, check to see that it has been entered correctly before hitting Send. When faxing directly to a patient do not hesitate to call the patient to confirm they requested the fax Someone else could be acting as the patient and making this request. 50

51 Program regularly used fax numbers into the RIS or into the manual fax machine. Check to make sure you selected the correct preprogrammed number before sending. Update a preprogrammed fax number as soon as you receive notification that it has changed. Update a preprogrammed fax number as soon as you receive notice that it is incorrect. Delete a preprogrammed fax number if it is no longer being used. 51

52 Fax through the RIS whenever possible. If you have a manual fax machine, place it in a location where it can be visually monitored and controlled. Avoid leaving patient information on fax machines after sending documents. Pick up received faxes as soon as possible. 52

53 53

54 Carefully check the name of the intended recipient on the envelope. Many names are similar; Make sure you have the correct name for the intended recipient on the envelope. 54

55 Double check the contents of the envelope before handing it over to the recipient Even if you prepared p the envelope yourself, check it again before handing it over. Make sure the contents belong to the intended recipient. Check all pages to make sure records of another patient are not mistakenly included in the envelope. Especially check billing invoices to ensure only one patient is included on the invoice. 55

56 56

57 Every employee is responsible for how they handle patient information. There are often multiple employees involved in preparing and releasing a package of medical information. Each person in the chain is responsible for double checking the information in and on the package is correct. 57

58 We cannot state this loud enough Take that extra moment to double check. Mail envelopes Faxes Pick-up envelopes Double check every single time. It only takes a moment to avoid costly mistakes. 58

59 59

60 The parents or legal guardians of a minor patient under the age of eighteen (18) years old are generally considered the personal representatives of the minor. All patients age 18 and over are considered adults. As such, the parent or legal guardian has no rights of access to the patient s medical records or other PHI, including, but not limited to, appointment information, exam results, copies of images, and billing invoices. These patients must provide authorization for their parent to have access to their medical records and appointment information. 60

61 An emancipated minor is one whose personal situation allows us to interact with the minor as though the minor was an adult. A person under the age of 18 lacks the legal capacity to give consent for medical treatment except under the circumstances cited below: Married Minor Minor Emancipated by Court Order Self-Sufficient Minor Minor on Active Duty Pregnant Minor Minor with an Infectious Disease Rape Victims and Victims of Sexual Assault Minor with Drug or Alcohol Related Problems 61

62 Procedure for handling minors (who are not emancipated): Present all exam-related paperwork to the parent or legal guardian of minor patients under the age of 18. A minor s parent or guardian may sign a statement to authorize a third party to consent to a minor s medical care in the parent s absence. 62

63 If an unaccompanied minor arrives for an appointment without a signed statement authorizing a third party to consent to the minor s medical care in the parent s absence: Determine whether the unaccompanied minor is emancipated before contacting the minor s parent or legal guardian. Refer to the state specific listing of emancipation conditions found in RadNet s Minor Patients Policy in the Front Office / Billing Policy Manual. Contact the unaccompanied minor s parent or legal guardian to obtain permission to treat the minor patient. Note the conversation in the patient s medical record by documenting the following: Names of both parties to the call, including the employee s title. Authority of the person giving the verbal consent to treat the minor. Date and time of the call. Specific information relayed. 63

64 The Privacy Rule generally allows a parent to have access to the medical records of his or her child. There are three situations when the parent would not be the minor s personal representative under the Privacy Rule. These exceptions are: When the minor is the one who consents to care, and the consent of the parent is not required under State or other applicable law; When the minor obtains care at the direction of a court or a person appointed by the court; and When, and to the extent that, the parent agrees that the minor and the healthcare provider may have a confidential relationship. 64

65 However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If fs State or other applicable law is silent on a parent s right of access in these cases, the licensed healthcare provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor s medical information. 65

66 A provider may choose not to treat a parent as a personal representative ti if the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child s personal representative could endanger the child. For a complete list of fstate specific conditions for which a minor can consent to treatment, refer to the Minor Patients Policy in the RadNet Front Office / Billing Policy and Procedure Manual. 66

67 Complete the corresponding quiz in Online Academy. Remember to speak with your supervisor if you have any questions about the information presented in this training. 67