Privacy presentation 01 2017-b

Compassion, Courtesy, Respect

Windstone Health Services

Privacy Training:Privileges, CMIA, HIPAA

• Learn about areas covered by Code of Conduct

• Overview of healthcare privacy

• Learn about Federal law—HIPAA (Health Insurance Portability and Accountability Act)

• Learn about California state law-CMIA (Confidentiality of Medical Information Act)

• Take a short quiz on what you’ve learned about HIPAA

What You’ll Do in This Session

• Gift giving and receiving

• Harassment and discrimination

• Bullying• Environmental

standards• Health and safety• Personal use of

company resources• Relationships with

contractors, vendors, etc.

• Substance abuse• Fair dealing• Workplace violence

Areas covered by Code of Conduct

Areas Covered by Code of Conduct

Code of Conduct Represents:o A set of written/unwritten rules outlining responsibilities,

according to which people in a particular group, class, or situation are supposed to conduct themselves in a business setting.

o The “face: of the company culture

The Code of Conduct is not intended to supersede any other applicable legal or regulatory requirements or any federal, state, or local government entity.

Windstone does not grant waivers to its code of conduct, conflict of interest and compliance standards.


Gift Giving and Receivingo Windstone employees are prohibited from accepting or

asking for bribes, kickbacks, gratuity of other forms of payment.

o Employees or other business affiliates may not offer anything to influence business or to gain special treatment as an individual or organization.

Harassment and Discriminationo Windstone is committed to providing a work environment

free of discrimination and harassment.

o The company will not tolerate any form of harassment at any level of organization.

Work Place Bullyingo Windstone will not in any instance tolerate bullying behavior.

o Bullying is defined as repeated inappropriate behavior, either direct or indirect, whether verbal, physical or otherwise, conducted by one or more persons against another or others, at the place of work and/or in the course of employment

Environmental Standardso Health care facilities produce wastes of various types. We

are committed to safe and responsible disposal of waste products and the compliance with all applicable environmental laws and regulations.


Health and Safetyo We maintain an Injury and Illness Prevention Program (IIPP)

to assist in providing a safe and healthy work environment.

o Each employee is expected to obey safety rules and to exercise caution in all work-related activities.

Personal Use of Company Resourceso Company resources must be maintained and utilized

according to the rules and regulations.

o We reserve the right to inspect all property to ensure compliance.

o Employees are prohibited from using company facilities or equipment for personal use without prior authorization.


Relationships with contractors, vendors, etc.o We strive to employ the highest ethical standards in all

business practices and maintain integrity and excellent rapport with all business relations.

o Selection criteria will be objectively based upon quality, service, price, technical excellence and the overall ability to meet our business needs and will not be determined by personal relationships and friendships.

Substance Abuseo We are committed to providing a drug and alcohol-free work

environment to protect the interests of all individuals involved.

o The use of alcohol, illegal drugs, or controlled substances, whether on or off the job, can adversely affect an employee’s work performance, efficiency, safety and health.


Fair Dealingo We are dedicated to providing quality healthcare

services to our community by maintaining the utmost ethical, legal and business standards.

o Employees are expected to conduct business honestly and fairly without misrepresentation of material facts

Workplace Violenceo It is our intent to provide a safe workplace for

employees and to provide a comfortable and secure atmosphere for our customers and others with whom we do business.

o We have zero tolerance for violent acts or threats of violence.


Confidentiality and Privacyo We follow State and Federal Laws regarding

confidential information, proprietary, trade secrets, internal information as valuable assets.

o We adhere to the Health Insurance Portability and Accountability Act.


Failure to comply with this Code or Compliance plan may result in disciplinary action or termination.

Disciplinary decisions can vary depending on the severity and the frequency of the misconduct.o You may be subject to disciplinary action if you are

aware of an problematic situation and do not report it.

Disciplinary Action

In an effort to prevent misconduct, the company requires all employees and providers to:

o Know and comply with our policy and procedures

o Participate in annual Code of Conduct and all required compliance trainings

o Report incidents experienced directly or witnessed

o Cooperation with investigations

o ***

Preventing Misconduct

HIPAA COMPLIANCE TRAINING

• Long-time legal rule called a privilege”– a special entitlement or immunityo Communication between physician/patient is

CONFIDENTIAL

o Modern rule—also applies to psychotherapists-- which is defined to include MDs, NPs, psychologists, licensed social workers, and LMFTs

o Applies to agents (people who work for the clinicians)

• All employees must be aware of legally-required privacy considerations in all communications, oral, written and verbal, regarding a member.

Physician/Patient Confidentiality

Federal legislation that was originally enacted in 1996 to make it easier for people to move from one health insurance plan to another

Protects and guarantees health insurance coverage when an employee changes jobs

Balances concerns over the need to access health information with the patient’s desire for privacy

Prevents misuse and abuse of confidential medical information

The Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health Act of 2009

Employees who handle, use, or know individuals’ Protected Health Information

Health Care Providers (health departments, hospitals, doctors’ offices, any agency that transmits PHI electronically

Health plans that provide or pay the cost of medical care (e.g. Medicaid, Medicare, BC/BS/HMOs)

Trading Partners – Electronically exchange Protect Health Information

Business Associates – Performs services “on your behalf”

HIPAA also applies to you as a consumer of healthcare!

Who is Affected by HIPAA

Confidentiality of Medical Information Act

California was one of the first states to enact laws to protect privacy of all medical information and to give patients rights to access and protect their medical record.

Provides that all medical information is private and that patients have rights such as obtaining copies of medical record.

California Law--CMIA

Can disclose information for certain purposes:o To clinicians for purposes of diagnosis and treatmento To billing companieso To quality committees/peer reviewo To insurance plans


Special rules for psychotherapyo Usually requires authorization by patient that

1) Sets forth the specific information to be released, 2) The length of time that the information will be kept

before being destroyed, and 3) A statement that information will not be used for any

other purpose

o Can always be used for diagnosis and treatment


Speak with a lowered voice so others cannot overhear—NEVER use a speaker phone.

Be very careful when leaving messages that can be replayed or overheard by others.

Get permission before mailing documents to members.

Document permission in members medical record

What does this mean for you?

PHI is all individually identifiable health information o including demographic information, physical or mental

health or other information that identifies the individual

PHI is information on treatment and care that is transmitted or maintained in any form or medium

o electronic, paper, oral, etc.

o Examples of where PHI can be found: Medical records and billing records Insurance/Benefit enrollment and payment Claims adjudication Case or medical management

What is covered?Protected Health Information (45CFR

160.103)

o Nameso All geographic information

including street address, city, county, zip code

o All elements of dates (except year)

o Telephone, fax numberso Email addresseso Social Security numbers o Medical Record numberso Health plan beneficiary numbers

o Account numberso Certificate/License numberso Vehicle ID’s, plates, serial

numberso URLs, IPo Biometric ID’s: finger and voice

printso Full face photographso Any other unique identifying

number or characteristic

Examples of PHI

Employment records

Family Educational Rights and Privacy Act (FERPA)Records

Preemption of state law:Privacy Rule overrides any other state law unless that

state law provides more protection for the consumer.

What is NOT covered by PHI(45CFR 160.103)

Conduct discussions so that others may not overhear them Do not leave medical records where others can see them or

access them Keep medical test results private PHI information should NOT be shared or be viewable in

public areas Do not leave copies of PHI at copy machines, printers, or

fax machines Do not share computer passwords or leave them visible Do not leave computer files open when leaving unlocked or

shared work area Dispose of paper containing PHI properly

PHI Protection

Useo Internalo With respect to “individually identifiable health

information”: the sharing, employing, applying, utilizing, examining, or

analyzing of such information within the organization that maintains such information (45CFR 164.50)

Disclosureo Externalo Release, transfer, allowing access to, or divulging

information outside the organization (45CFR 164.501)

What Actions are Covered?

Covered Entities can use and disclose PHI without patient authorization for TPO purposes:o Treatment: providing, coordinating, and managing

health care, including consultation and referralso Payment: paying or being paid for health care serviceso Operations: administrative, legal, quality, training,

planning, contracting, and other necessary business functions

Use and Disclose for TPO

• When using any PHI, Health care employees must generally make reasonable efforts to limit use to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request required to do their jobs.

Minimum Necessary Standard

Remember, confidentiality requirements apply to family members

DO NOT disclose to member’s spouse or children without a POA or, in limited situations, the express documented permission of the member

Signed authorizations for release of information are considered invalid, if there is no expiration date or an event that triggers expiration. o WBH release forms indicate expiration as either in

one year from the date signed or as noted.

Use of Power of Attorney (POA)

Here at WBH, wife of member called asking to speak to practitioner re issue with husband’s medication. We immediately called practitioner to give him wife’s cell phone number. Practitioner refused to speak with wife--stated husband had expressly told practitioner that he didn’t want wife involved in his treatment.

Small town hospital, woman’ pregnancy test was positive. Lab tech sees woman’s sister that night at local restaurant and congratulates her. Woman wasn’t married and wasn’t going to disclose to family. Sues and wins judgment against lab tech and hospital.

**

Use of Power of Attorney (POA)

Some uses/disclosures are “incidental / accidental”o Made in the course of routine operations

(talking about a member to the clinical team and someone else overhears)

o Limited in nature (it occurred as the other person waited to talk to clinical team)

o Could not be reasonably preventedo Allowed IF:

The “minimum necessary standard” is followed Reasonable safeguards are in place

Incidental/Accidental Use/Disclosure

Report an “INCIDENTAL/ACCIDENTAL USE AND DISCLOSURE” To Your Supervisor or the Compliance Officer IMMEDIATELY

DO NOT DESTROY Any documents, e-mail messages, voicemail messages, or ANYTHING else relating to the disclosure

Destruction of records can result in additional discipline

A violation of PHI is considered a breach as soon as it occurs

Incidental/Accidental Use/Disclosure

ACCESS their PHI including inspecting and obtaining a copy of PHI

AMEND incorrect records—a member can request an amendment

An ACCOUNTING of disclosures—a member can request an accounting

AUTHORIZE, or refuse to authorize, the use or sharing of PHI Designate someone to ACT on the patient’s behalf regarding PHI ALTERNATIVE means—member can request receipt of PHI by

alternative means and at alternative locations, where routine communications could endanger the individual

File a complaint about a possible breach of privacy

HIPAA Gives Members the Right to:

Safeguarding Member Privacy: Administrative, Physical and Electronic

Procedures

• Three types of safeguards:1) Administrative2) Physical3) Electronic

Confidentiality agreement

Confidentiality/HIPAA policies in policy and procedure manual

Administrative Safeguards

Use key card—don’t let strangers into building.

Pick up printouts and copies promptly from printers, fax machines, and copiers.

Every day at close of business, clean off your desk.

Use fax software to receive secure faxes directly into your computer.

Physical Safeguards

Use locked trash bins in hallway

Insert documents completely into the trash bin…do NOT leave papers containing PHI outside the bin

Physical Safeguards

Protect the confidentiality of transmitted electronic confidential information, including but not limited to electronic Protected Health Information (ePHI), by using a secure fax or the Secure File Portal.

Electronic Safeguards

E-mail of PHI ONLY within:o Windstone, HCP, CalOptima, HealthNet, MHN,

ProspectMedical, and monarchhealth.com. For those companies with which we do “not” have a

partnership, type “whss” within the email (subject or body) which will force outbound encryptiono Do not place any PHI in the subject heading

an internal patient identifier (member id number) or abbreviation may be used instead.

For any other instances, PHI should either be faxed or placed on our Secure File Portal.

Encrypted email policies and procedures can be found on the Wiki

When E-mailing PHI

The Secure File Portal should be used whenever transmitting PHI outside of Windstone as alternative to faxing; remember, it is always best to err on the side of caution if you are unsure

For more information about the portal please contact: John Wright @ ext. 283

Secure File Portal

Do not delete this from any outgoing emails:

This facsimile transmission, including any attachments, contains information from Windstone Behavioral Health, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this facsimile transmission in error, please notify the sender immediately and destroy all copies of the communication, including attachments.

Fax Confidentiality Warning

When in doubt, don’t provide information Access information on a need-to-know basis, only to do your job. Verify fax numbers before sending Do NOT send e-mails containing PHI outside of WBH except

those is in partner with WBH (See Wiki policies) – or use the “whss” encryption procedure.

Verify the identity of a caller before releasing confidential information

Discuss patient information as privately as possible Never share your password with anyone (except Supervisor) Log off before you walk away from your computer Maintain security of all patient information in all medium (paper,

electronic, oral, etc) Dispose of confidential information according to proper

procedures (locked shred bins)

**Refer complaints and concerns to WBH’s Compliance Officer or Security Officer

Top 10 Privacy & Security Practices

Cignet Health Center, a group of clinics in Maryland, was fined $ 4.3 million for failing to release medical records to patients requesting them.

Rite Aid--$ 1million fine for disposing of prescriptions and pill bottles in regular trash containers.

UCLA--$ 865,500 fine due to employees improperly accessing celebrity patients’ medical records.

In Alabama, a leader of a counterfeit prescription fraud scheme was sentenced to six years in prison for HIPAA violations and identity theft.

HIPAA Violations in the News

HIPAA civil penalties include:

o $100 / person / violation

o $25,000 / year for multiple violations

Penalties for HIPAA Violations

HIPAA criminal penalties include:o $50K and/or 1 year imprisonment: for knowingly or

wrongfully disclosing or receiving PHI

o $100K and/or 5 yrs imprisonment: commit offense under false pretenses

o $250K and/or 10 years imprisonment: for intent to sell PHI or client lists for personal gain or malicious harm

You can be personally liable! These penalties apply to oral, paper and electronic

Protected Health Information (PHI)

Penalties for HIPAA Violations

Person within a Covered Entity who is responsible for monitoring patient privacy and enforcing the HIPAA Privacy Rule and maintaining the physical perimeter of the Covered Entity’s place of business:

o Lisa Casey o 714.384.3870 x 212o [email protected]

Corporate Compliance Officer & Quality Manager

Person within a Covered Entity who is responsible for monitoring the storage and transmission of electronic PHI:

o John Wrighto 714.642.1813 (cell), or o 714.384.3870 ext. 283o [email protected]

Security Officer

You are always free to speak with the Security Officer or the Compliance/Privacy Officer—your complaint will be kept confidential

You may contact the Office of Civil Rights of the Department of Health and Human Services or the Office of the Inspector General

HIPAA prohibits retaliation of any kind for filing a complaint

HIPAA Complaints

1. Does the physician/patient privilege provide for the confidentiality of

communications with psychotherapists?Yes________ No________

2. What does the acronym CMIA stand for?________________________________________

3. Is this a state or federal law? _______________4. What does the acronym HIPAA stand for?

_____Health Insurance Privacy and Administration Act_____Health Insurance Portability and Accountability

Act _____Healthcare Industry Privacy and Accountability

Act5. Is this a state or federal law? _______________

HIPAA Quiz

6. What does HIPAA do?____Prevent health care fraud and abuse____Provide for electronic and physical security of a patient’s health information____Protects the privacy and security of a patient’s health information____All of the above

7. What does PHI stand for?________________________________

8. What information constitutes PHI? (check all that apply)____Concerns the health status of an individual____Identifies the individual by name, telephone, etc.____Covered transactions (eligibility, enrollment, healthcare

claims, payment, etc) performed electronically____All of the above

HIPAA Quiz

9. When can you use or disclose PHI?___For obtaining payment for services, if it is part of your

job___For the treatment of the patient, if it is part of your job___When the patient has authorized, in writing, its release___All of the above

10. A violation of PHI is considered a breach when: ____The incident becomes known____The affected individual finds his/her identify stolen____The Covered Entity or Business Associate concludes the

analysis of whether the facts constitute a breach____It occurs

HIPAA Quiz

11. Which of the following apply to emailing PHI outside of Windstone? (Check all that apply)

___ An email to Monarch is automatically secure___ Using the patient name in the subject heading is

permissible___ Typing whss in the subject or body of an email will force

encryption___ Specific policies and procedures for encryption can be

found on the Wiki___ All of the above

12. A co-worker is called away for a short errand leave s their PC logged into a confidential information system. You need to look up information that is only available on that computer? Aside from notifying the appropriate person, what is the best approach you should take?

___ To save time, continue working under your co-worker’s User-ID

___ Log your co-worker off and re-log in under your own User-ID and password.

___ Do nothing___ All of the above

HIPAA Quiz

13. A staff member may reply to an email communication from a client containing PHI as long as it is secured.

True_____ False_____

14. Signed authorizations for release of information are considered invalid, if there is no expiration date or an event that triggers expiration.

True_____ False_____

15. What does “minimum necessary” mean?____________________________________

16. Which of the following is never acceptable to leave in a message on an answering machine?____ The caller’s name____ The minimum necessary information to request that the client

return the phone call if necessary____ Test Results____ All of the above

HIPAA Quiz

17. What are considered physical safeguards? (check all that apply)____ Confidentiality policy____ Every day at close of business, clean off your desk____ Lock file cabinets and drawers at close of business____ Remove papers from copiers/fax machines

18. What are considered electronic safeguards? (check all that apply) ____ Never share your password with another person ____ Never log in on another person’s password ____ Never write your password down ____ Lock your desk or file cabinets each day ____ Never share or open attached files from unknown sources

19. Can you complain about HIPAA violations without retaliation?Yes____ No____

HIPAA Quiz