Compliance & HIPAA Annual Education 1
The purpose of this education is to UPDATE The purpose and of this education REFRESH is to UPDATE your and REFRESH understanding understanding of: of: Aultman s Compliance Program. The HIPAA rules and PROTECTING OUR PATIENT S confidential information. 2
Aultman s Compliance Program The Aultman Compliance Program includes SEVEN CORE ELEMENTS as required by the government. The 7 elements of an effective Compliance Program are Written policies and procedures and standards of conduct. A Compliance Officer that is accountable and responsible for the program. Effective education and training. Lines of communication for reporting compliance concerns. Disciplinary action for non-compliance. Routine auditing and monitoring to identify risks. Procedures for responding promptly to non-compliance and undertaking corrective action. 3
So what does the Compliance Department at Aultman actually do? Demonstrates a good faith effort to comply with federal, state, and local regulations. Establishes procedures to prevent, detect, and correct noncompliance. Provides a method for employees to report potential problems. Serves as a resource to resolve compliance issues. But wait! THERE S MORE Aultman s Compliance Department strives to PROTECT our organization, workforce members, and customers. Preserve the level of INTEGRITY that Aultman is known for as a highly reliable organization. Promote the continued effort to DO THE RIGHT THING. 4
What is expected of me? Follow Aultman s Code of Conduct. Carry out your job duties with INTEGRITY and HONESTY. Know the laws and regulations that apply to your job. Exercise good judgment and do the right thing when performing your job. Report suspected compliance concerns or problems to the Compliance Department. 5
Fraud, Waste, and Abuse (FWA) Fraud, Waste, and Abuse can occur in many different formats. For example... Billing for services not furnished or that are medically unnecessary could be considered FWA. An estimated 10% of Medicare costs are wrongly spent on fraud, waste, and abuse. If you have a concern or question about how things are being done, it is important that you report your concern. The government is devoting substantial resources to prevent and detect FWA. Additional information regarding FWA, and the False Claims Act, can be found in the Aultman Employee Handbook or CMS s Fraud & Abuse: Prevention, Detection, and Reporting Fact Sheet. 6
How do I report a Compliance Concern? Discuss concerns with your manager or another member of the management team. Contact the Compliance Department at (330) 363-3380 or Ext. 33380 or compliance@aultman.com. Report anonymously by calling the Aultman Compliance Line at 1 (866) 907-6901 or online at https://www.aultman.org/complianceline. I have a concern Employees reporting in good faith will not be subject to retaliation. 7
What is HIPAA? HIPAA is a federal law which: Regulates and sets standards for protecting patient privacy and confidentiality of Protected Health Information (PHI). Describes how we may use and disclose health information. Expands patient s rights regarding their health information. Includes penalties for privacy violations. 8
Breach: Protected Health Information (PHI) : Any and all health information that could identify a particular person. Name & address, age, date of birth, social security number, clinical information, test results, diagnosis, photos, employer. When someone obtains, views, or discloses PHI inappropriately. May require notification of patient and government. Report any potential breaches to the Compliance Department. PHI can be shared without patient authorization for: Treatment anyone who has a treatment relationship with the patient. Payment for billing and collection activities. Healthcare Operations business activities, including quality improvement and teaching. 9
Why is Patient Privacy Important? Patients place TRUST in us to protect their most private information. If patients don t trust us with their private information They may be reluctant to disclose important information that is vital to their care. They may go elsewhere to receive treatment. Our community reputation could be damaged. Not only do we have a legal duty to protect patient health information, we have an ETHICAL and MORAL obligation, as well. 10
What can I tell my patient s friends and family? Obtain patient approval before sharing PHI. Oral or written approval is acceptable. Document it in the medical record. Use the Privacy Communication tab in Cerner or paper form. Patient may change his/her mind at any time. When in doubt, do not disclose information! Remember, you can consult your manager or Compliance for guidance. Use professional judgment when patient is unconscious or incapacitated. Utilize the Minimum Necessary Standard. Family & friends should be actively involved in care in order to receive PHI. 11
Mobile Devices Mobile devices such as laptops, tablets, smartphones, and USB flash drives that contain confidential Aultman information must be password protected and encrypted, when possible. Texting of patient information should only be performed with Aultman approved applications that are secure and encrypted. The Joint Commission prohibits the texting of patient care orders. 12
Audits HIPAA rules require that all our electronic systems have the capability to produce an audit trail. This allows us to: See who has accessed patient records and when. Conduct random audits of employee access. Investigate any patient complaint regarding HIPAA. Run specialized reports that can show, for example, if a user accessed a co-worker s medical record. 13
Sn ping Did you know? Snooping into electronic medical records is the most common type of HIPAA violation at Aultman. Aultman policies DO NOT PERMIT workforce members to look up their own medical information, or that of family, friends, co-workers, or patients of interest. This applies to all forms of medical information 14
They re my records why can t I have access? When receiving health care services, employees are like any other patient. As a patient, an employee may obtain a copy of their health care information (or the records of family members) by completing the release of information process in the Medical Records Department. A signed Authorization Form does not permit workforce members to directly access anyone s information via Aultman s various electronic systems. Aultman s Patient Portal is also available and allows patients direct access to their health information. If you still need to sign-up for the Patient Portal, please contact the Registration Department. 15
What s the big deal? The reason for these restrictions is the HIPAA Minimum Necessary Standard, also known as the need to know rule. Under this HIPAA standard, you are only permitted to access information you need to do your job and disclose only information to others to do their job. Looking up your own information or the information of a family member does NOT meet this standard! The HIPAA rules require health care organizations to have consistent disciplinary actions in place for employees who violate HIPAA. At Aultman, disciplinary actions for HIPAA violations have ranged from suspensions to terminations. Aultman s disciplinary process is outlined in the Employee Handbook. 16
Social Media 17
Social media websites are a great tool for sharing all kinds of information, BUT NEVER for sharing any kind of patient information, even in general terms! Remember that any information and images you post online could remain there forever and might be redistributed, shared, commented upon, and accessed by anyone, including your family, friends, or employers (even many years later). THINK. before you post! 18
Computer & Email Security Log off or lock your computer when leaving your workstation. Email All emails sent to another Aultman email are secure. Emails sent externally that contain Protected Health Information MUST be encrypted. To lock your screen press: Type [SECURE] anywhere in the subject line to encrypt an email. [Secure] User IDs and Passwords Everyone must have a unique user ID and password and they are responsible for all activity that occurs under that combination. Mandatory password changes are required a minimum of every 90 days. Passwords should be strong to increase security. 19
Phishing Schemes Phishing attacks are typically carried out through the use of emails that appear to be sent from a legitimate source. Recipients of these emails are directed to click on links that send them to websites designed to obtain sensitive information or install malicious software onto their device. 20
How to spot a phishing email Spelling and bad grammar If you notice mistakes in an email, it may be malicious. The hyperlinked URL is different Hover your mouse over the address in the from field to see if the website domain matches that of the site the email should have originated from. You Won!! A common scam is to send an email that says you won a prize for a contest you never entered. Make a donation Unfortunately, phishing emails might ask for a donation to a legitimate cause, such as the American Red Cross. To be safe, contact organizations directly to make donations. Call to action Often they will trick you into clicking on a link to reactivate your account or to remove a hold. Don t click on the link, but instead log onto your account in question directly through their website. Requesting personal information Reputable organizations will not ask for personal information in an email. 21
Ransomware A type of malicious software designed to block access to a computer system until a sum of money is paid. Installed through email attachments, infected downloads, or visiting malicious websites or links. Only open attachments, install downloads, or visit websites from known and trusted sources. HEALTHCARE 22
If you feel you have fallen victim to ransomware or a phishing scheme, please contact our IT Security Department IMMEDIATELY at: EPHIsecurity@aultman.com Help.Desk@aultman.com 23
There are resources available to learn more about the HIPAA Privacy and Security Regulations PolicyTech This is our internal system that contains all of Aultman s HIPAA Privacy and Security policies and procedures. Can be accessed through the employee portal under Resources then Policies & Procedures. Notice of Privacy Practices (NPP) This is a document we are required to give all patients. It summarizes our policies and procedures in regards to the requirements of HIPAA. 24
Issues we ve seen at Aultman Random audit revealed an employee accessed their co-worker s records. Employees were receiving harassing phone calls from a patient s family demanding protected information. Guidance was provided to the staff. A group of employees posed for a picture while at work that was posted to social media. Patient PHI was visible on the computer behind them. A patient was sent home with another patient s discharge instructions or clinical summary. A department requested guidance on proper storage of PHI in their offices. A family member found a nurse s report paper with patient PHI on the ground in the hallway. Lab report was faxed to the wrong physician office. 25
Compliance Department Ext. 33380 or compliance@aultman.com Questions? Tim Regula Chief Compliance and Privacy Officer Kelly Martinelli Aultman Medical Group Compliance Officer Ext. 46493 or (330) 433-1493 kelly.martinelli@aultman.com Valerie Waldorff Aultman Orrville Hospital Compliance Liaison Ext. 35425 or (330) 363-5425 valerie.waldorff@aultman.com Ext. 37448 or (330) 363-7448 tim.regula@aultman.com Karen Wulff Integrated Health Collaborative Compliance & Privacy Officer Ext. 33115 or (330) 363-3115 karen.wulff@aultman.com Barbara McGill HIPAA IT Security Officer/Analyst Ext. 39784 or (330) 363-9784; barbara.mcgill@aultman.com Direct questions regarding Systems and Technology Security to: EPIsecurity@aultman.com or submit a Help Desk Ticket via the Employee Portal. 26
HIPAA regulations require Aultman to provide on-going compliance education for all employees and other members of the Aultman workforce. We have created a post-test to demonstrate your understanding of the information provided in this education. Every employee must complete the post-test and answer 80% of the questions correctly. Tana Rodgers BSN, RN 2017 Please proceed to the post-test now. 27