Compliance & HIPAA Annual Education

Similar documents
Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

RETINAL CONSULTANTS OF ARIZONA, LTD. HIPAA NOTICE OF PRIVACY PRACTICES. Our Responsibilities. Our Uses and Disclosures

HIPAA FOR BROKERS. revised 10/17

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA & Privacy Compliance Update

SHS Annual Information Privacy and Security Training

HIPAA Privacy and Security Training Program

HIPAA Omnibus Notice of Privacy Practices

Preventing Breaches When Using , Telephone and Fax Machines

HIPAA and Social Media and other PHI Safeguards. Presented by the UAMS HIPAA Office August 2016 William Dobbins

HIPAA For Assisted Living WALA iii

HIPAA UPDATE. Michael L. Brody, DPM

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

NMHC HIPAA Security Training Version

For any questions regarding this notice call: Meredith Damboise, Privacy Officer , ext. 17

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Your Information. Your Rights. Our Responsibilities.

Electronic Communication of Personal Health Information

HIPAA Federal Security Rule H I P A A

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

s, Texts and Social Media: What Physicians Need to Know

Information Privacy and Security Training Authored by: Office of HIPAA Administration

HIPAA 101: What All Doctors NEED To Know

University of North Texas System Administration Identity Theft Prevention Program

Putting It All Together:

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

HIPAA Security and Privacy Policies & Procedures

Campus Health Your Information Your Rights Our Responsibilities

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Federal Breach Notification Decision Tree and Tools

Security and Privacy Breach Notification

SFDPH Annual Privacy and Data Security Training Module

2017_Privacy and Information Security_English_Content

What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996.

Data Compromise Notice Procedure Summary and Guide

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Acceptable Use Policy

Notice of Privacy Practices Page 1

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Protecting Health Information

Information Technology Standards

Cleveland State University General Policy for University Information and Technology Resources

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

REGULATION BOARD OF EDUCATION FRANKLIN BOROUGH

Acknowledgement of Receipt of Notice of Privacy Practices

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

MOBILE.NET PRIVACY POLICY

In this policy, whenever you see the words we, us, our, it refers to Ashby Concert Band Registered Charity Number

The Relationship Between HIPAA Compliance and Business Associates

HIPAA & HITECH Training 2018

LifeWays Operating Procedures

The Table Privacy Policy Last revised on August 22, 2012

Banner Health Information Security and Privacy Training Team. Morgan Raimo Paul Lockwood

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy. Policy Information. Purpose. Scope. Background

Vocera Secure Texting 2.1 FAQ

Who We Are! Natalie Timpone

SECTION/OWNER: CCO CONTRACTORS

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Red Flags/Identity Theft Prevention Policy: Purpose

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

FAQ: Privacy, Security, and Data Protection at Libraries

Family Medicine Residents HIPAA Highlights May 2016 Heather Schmiegelow, JD

Acceptable Use Policy

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

PATIENT REGISTRATION

PULSE TAKING THE PHYSICIAN S

DETAILED POLICY STATEMENT

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

POLICY 8200 NETWORK SECURITY

CAREERBUILDER.COM - PRIVACY POLICY

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Olympia Family Medicine 5949 Harbour Park Drive Midlothian, VA 23112

Employee Security Awareness Training Program

Acceptable Use Policy

University of Wisconsin-Madison Policy and Procedure

UWTSD Group Data Protection Policy

University Policies and Procedures ELECTRONIC MAIL POLICY

The ABCs of HIPAA Security

IT Risk: Are You Prepared?

FERPA & Student Data Communication Systems

Acceptable Use Policy

RelayHealth Legal Notices

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

Transcription:

Compliance & HIPAA Annual Education 1

The purpose of this education is to UPDATE The purpose and of this education REFRESH is to UPDATE your and REFRESH understanding understanding of: of: Aultman s Compliance Program. The HIPAA rules and PROTECTING OUR PATIENT S confidential information. 2

Aultman s Compliance Program The Aultman Compliance Program includes SEVEN CORE ELEMENTS as required by the government. The 7 elements of an effective Compliance Program are Written policies and procedures and standards of conduct. A Compliance Officer that is accountable and responsible for the program. Effective education and training. Lines of communication for reporting compliance concerns. Disciplinary action for non-compliance. Routine auditing and monitoring to identify risks. Procedures for responding promptly to non-compliance and undertaking corrective action. 3

So what does the Compliance Department at Aultman actually do? Demonstrates a good faith effort to comply with federal, state, and local regulations. Establishes procedures to prevent, detect, and correct noncompliance. Provides a method for employees to report potential problems. Serves as a resource to resolve compliance issues. But wait! THERE S MORE Aultman s Compliance Department strives to PROTECT our organization, workforce members, and customers. Preserve the level of INTEGRITY that Aultman is known for as a highly reliable organization. Promote the continued effort to DO THE RIGHT THING. 4

What is expected of me? Follow Aultman s Code of Conduct. Carry out your job duties with INTEGRITY and HONESTY. Know the laws and regulations that apply to your job. Exercise good judgment and do the right thing when performing your job. Report suspected compliance concerns or problems to the Compliance Department. 5

Fraud, Waste, and Abuse (FWA) Fraud, Waste, and Abuse can occur in many different formats. For example... Billing for services not furnished or that are medically unnecessary could be considered FWA. An estimated 10% of Medicare costs are wrongly spent on fraud, waste, and abuse. If you have a concern or question about how things are being done, it is important that you report your concern. The government is devoting substantial resources to prevent and detect FWA. Additional information regarding FWA, and the False Claims Act, can be found in the Aultman Employee Handbook or CMS s Fraud & Abuse: Prevention, Detection, and Reporting Fact Sheet. 6

How do I report a Compliance Concern? Discuss concerns with your manager or another member of the management team. Contact the Compliance Department at (330) 363-3380 or Ext. 33380 or compliance@aultman.com. Report anonymously by calling the Aultman Compliance Line at 1 (866) 907-6901 or online at https://www.aultman.org/complianceline. I have a concern Employees reporting in good faith will not be subject to retaliation. 7

What is HIPAA? HIPAA is a federal law which: Regulates and sets standards for protecting patient privacy and confidentiality of Protected Health Information (PHI). Describes how we may use and disclose health information. Expands patient s rights regarding their health information. Includes penalties for privacy violations. 8

Breach: Protected Health Information (PHI) : Any and all health information that could identify a particular person. Name & address, age, date of birth, social security number, clinical information, test results, diagnosis, photos, employer. When someone obtains, views, or discloses PHI inappropriately. May require notification of patient and government. Report any potential breaches to the Compliance Department. PHI can be shared without patient authorization for: Treatment anyone who has a treatment relationship with the patient. Payment for billing and collection activities. Healthcare Operations business activities, including quality improvement and teaching. 9

Why is Patient Privacy Important? Patients place TRUST in us to protect their most private information. If patients don t trust us with their private information They may be reluctant to disclose important information that is vital to their care. They may go elsewhere to receive treatment. Our community reputation could be damaged. Not only do we have a legal duty to protect patient health information, we have an ETHICAL and MORAL obligation, as well. 10

What can I tell my patient s friends and family? Obtain patient approval before sharing PHI. Oral or written approval is acceptable. Document it in the medical record. Use the Privacy Communication tab in Cerner or paper form. Patient may change his/her mind at any time. When in doubt, do not disclose information! Remember, you can consult your manager or Compliance for guidance. Use professional judgment when patient is unconscious or incapacitated. Utilize the Minimum Necessary Standard. Family & friends should be actively involved in care in order to receive PHI. 11

Mobile Devices Mobile devices such as laptops, tablets, smartphones, and USB flash drives that contain confidential Aultman information must be password protected and encrypted, when possible. Texting of patient information should only be performed with Aultman approved applications that are secure and encrypted. The Joint Commission prohibits the texting of patient care orders. 12

Audits HIPAA rules require that all our electronic systems have the capability to produce an audit trail. This allows us to: See who has accessed patient records and when. Conduct random audits of employee access. Investigate any patient complaint regarding HIPAA. Run specialized reports that can show, for example, if a user accessed a co-worker s medical record. 13

Sn ping Did you know? Snooping into electronic medical records is the most common type of HIPAA violation at Aultman. Aultman policies DO NOT PERMIT workforce members to look up their own medical information, or that of family, friends, co-workers, or patients of interest. This applies to all forms of medical information 14

They re my records why can t I have access? When receiving health care services, employees are like any other patient. As a patient, an employee may obtain a copy of their health care information (or the records of family members) by completing the release of information process in the Medical Records Department. A signed Authorization Form does not permit workforce members to directly access anyone s information via Aultman s various electronic systems. Aultman s Patient Portal is also available and allows patients direct access to their health information. If you still need to sign-up for the Patient Portal, please contact the Registration Department. 15

What s the big deal? The reason for these restrictions is the HIPAA Minimum Necessary Standard, also known as the need to know rule. Under this HIPAA standard, you are only permitted to access information you need to do your job and disclose only information to others to do their job. Looking up your own information or the information of a family member does NOT meet this standard! The HIPAA rules require health care organizations to have consistent disciplinary actions in place for employees who violate HIPAA. At Aultman, disciplinary actions for HIPAA violations have ranged from suspensions to terminations. Aultman s disciplinary process is outlined in the Employee Handbook. 16

Social Media 17

Social media websites are a great tool for sharing all kinds of information, BUT NEVER for sharing any kind of patient information, even in general terms! Remember that any information and images you post online could remain there forever and might be redistributed, shared, commented upon, and accessed by anyone, including your family, friends, or employers (even many years later). THINK. before you post! 18

Computer & Email Security Log off or lock your computer when leaving your workstation. Email All emails sent to another Aultman email are secure. Emails sent externally that contain Protected Health Information MUST be encrypted. To lock your screen press: Type [SECURE] anywhere in the subject line to encrypt an email. [Secure] User IDs and Passwords Everyone must have a unique user ID and password and they are responsible for all activity that occurs under that combination. Mandatory password changes are required a minimum of every 90 days. Passwords should be strong to increase security. 19

Phishing Schemes Phishing attacks are typically carried out through the use of emails that appear to be sent from a legitimate source. Recipients of these emails are directed to click on links that send them to websites designed to obtain sensitive information or install malicious software onto their device. 20

How to spot a phishing email Spelling and bad grammar If you notice mistakes in an email, it may be malicious. The hyperlinked URL is different Hover your mouse over the address in the from field to see if the website domain matches that of the site the email should have originated from. You Won!! A common scam is to send an email that says you won a prize for a contest you never entered. Make a donation Unfortunately, phishing emails might ask for a donation to a legitimate cause, such as the American Red Cross. To be safe, contact organizations directly to make donations. Call to action Often they will trick you into clicking on a link to reactivate your account or to remove a hold. Don t click on the link, but instead log onto your account in question directly through their website. Requesting personal information Reputable organizations will not ask for personal information in an email. 21

Ransomware A type of malicious software designed to block access to a computer system until a sum of money is paid. Installed through email attachments, infected downloads, or visiting malicious websites or links. Only open attachments, install downloads, or visit websites from known and trusted sources. HEALTHCARE 22

If you feel you have fallen victim to ransomware or a phishing scheme, please contact our IT Security Department IMMEDIATELY at: EPHIsecurity@aultman.com Help.Desk@aultman.com 23

There are resources available to learn more about the HIPAA Privacy and Security Regulations PolicyTech This is our internal system that contains all of Aultman s HIPAA Privacy and Security policies and procedures. Can be accessed through the employee portal under Resources then Policies & Procedures. Notice of Privacy Practices (NPP) This is a document we are required to give all patients. It summarizes our policies and procedures in regards to the requirements of HIPAA. 24

Issues we ve seen at Aultman Random audit revealed an employee accessed their co-worker s records. Employees were receiving harassing phone calls from a patient s family demanding protected information. Guidance was provided to the staff. A group of employees posed for a picture while at work that was posted to social media. Patient PHI was visible on the computer behind them. A patient was sent home with another patient s discharge instructions or clinical summary. A department requested guidance on proper storage of PHI in their offices. A family member found a nurse s report paper with patient PHI on the ground in the hallway. Lab report was faxed to the wrong physician office. 25

Compliance Department Ext. 33380 or compliance@aultman.com Questions? Tim Regula Chief Compliance and Privacy Officer Kelly Martinelli Aultman Medical Group Compliance Officer Ext. 46493 or (330) 433-1493 kelly.martinelli@aultman.com Valerie Waldorff Aultman Orrville Hospital Compliance Liaison Ext. 35425 or (330) 363-5425 valerie.waldorff@aultman.com Ext. 37448 or (330) 363-7448 tim.regula@aultman.com Karen Wulff Integrated Health Collaborative Compliance & Privacy Officer Ext. 33115 or (330) 363-3115 karen.wulff@aultman.com Barbara McGill HIPAA IT Security Officer/Analyst Ext. 39784 or (330) 363-9784; barbara.mcgill@aultman.com Direct questions regarding Systems and Technology Security to: EPIsecurity@aultman.com or submit a Help Desk Ticket via the Employee Portal. 26

HIPAA regulations require Aultman to provide on-going compliance education for all employees and other members of the Aultman workforce. We have created a post-test to demonstrate your understanding of the information provided in this education. Every employee must complete the post-test and answer 80% of the questions correctly. Tana Rodgers BSN, RN 2017 Please proceed to the post-test now. 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback