GURUJODHA KHALSA,

About This Presentation

Title:

GURUJODHA KHALSA,

Description:

hipaa privacy, security and compliance gurujodha khalsa, deputy county counsel, chc robin bowe, bsn, rn, c, chc compliance coordinator privacy officer risk manager – PowerPoint PPT presentation

Number of Views:41

Avg rating:3.0/5.0

Slides: 72

Provided by: Bow79

Category:

more less

Transcript and Presenter's Notes

Title: GURUJODHA KHALSA,

1
2010 Annual Review HIPAA Privacy,
Security and Compliance

GURUJODHA KHALSA,
DEPUTY COUNTY COUNSEL, CHC
ROBIN BOWE, BSN, RN, C, CHC
COMPLIANCE COORDINATOR
PRIVACY OFFICER
RISK MANAGER
Rev. 10/10

2
2010 Regulatory Changes

Changes in the legal and regulatory environment
Changes in the delivery and payment of healthcare
costs.
Changes in the privacy and security of Protected
Health Information (PHI)

3
HIPAA Privacy Rule Changesfor 2010

Health Information Technology for
Clinical Health Act (HITECH)
Signed into law as part of the American Recovery
and Reinvestment Act of 2009
Major changes include
Applies the HIPAA Privacy and Security Standards
to Business Associates
Establishes Federal reporting requirements for
privacy breaches

4
HIPAA Privacy Rule Changefor 2010

Established new criminal and civil penalties for
non-compliance and new enforcement
responsibilities
New Patient Privacy Rights to include
KMC must agree to a patients request for
restriction of their health record for purpose of
payment or healthcare operations
Patients may request a copy of their medical
record electronically once an Electronic Medical
record is in place
New restrictions on the use/disclosure of PHI
for marketing and fundraising

5
Unauthorized Verbal Disclosureand HIPAA

Use good judgment - limit the conversation of any
private or confidential info to people who
require the information in the normal performance
of their job duties.
Discussion of confidential information is not
permitted in a public area(for example the
cafeteria or the elevator).
Be aware of your environment BEFORE you speak.
(think who might be able to hear me?)

6
Unauthorized Written or Electronic Disclosure
and HIPAA

Keep all documents secure (clipboard, locker or
cubicle)
KMC Staff/Medical Students or other persons
assigned to KMC
not allowed to take PHI off Kern Medical Center
campus
Shred all PHI that is not used at the end of the
day
gray shred bins
Double check your documents (immunization records
or other paperwork) have correct patient name
labeled and are given to the correct patient
Use a fax cover sheet for all faxes
Double check the fax number before pressing send
on a fax
(PHI)-Patient Health Information

7
HIPAA Security

KMC is required to establish policies and
procedures
assuring compliance with the HIPAA Security
Standards
Overall objective - maintain the privacy and
confidentiality of information
Requires initial and ongoing training

8
HIPAA Technical Safeguards

Designed policies , procedures, and processes to
protect, control and monitor information
Designed to control access and assure appropriate
consent and audit control
Designed to prevent unauthorized access

9
HIPPA Administrative Safeguards

KMC is required to have
A Privacy Officer
Contracts with Business Associates
Policies and procedures in place

10
HIPAA Physical Safeguards

All KMC staff that maintain PHI are required to
Secure PHI in locked file cabinets
Assure at all times
doors are locked where PHI is maintained
computer screens cannot be seen by the public
Fax machines are secure

11
Unauthorized Access to Information Systems

Access that is not allowed to computerized
academic or administrative records or systems
viewing or altering computer records, modifying
computer programs or systems, releasing or
dispensing information gained via unauthorized
access, or interfering with the use or
availability of computer systems or information.
(45 CFR 164.312(a)(1) Access Controls)

12
Computer Access

Access is granted by the Department Chairman,
Manager or Supervisor for
KMC paper and electronic record (need to know
basis)
By job description or job responsibilities.
Employees are mandated to keep passwords secure
and to log off computer systems.

13
Deficit Reduction Act

What Federal Programs are affected?
Medicare
Medi-Cal
Any other federally funded contract or program
Examples at KMC
CDPH at Sagebrush
CPS at OB/GYN Clinic
CDPH-California Dept. of Public Health
CPS-Child Protective Services

14
Compliance

Remember..
Understand, follow and implement applicable KMC
policies and procedures on behalf of the patient
and their family.

15
Compliance False Claims

An individual who files a false claim for the
payment of health care services and
Has actual knowledge that information on a claim
is false or
Deliberately
Acts ignorant of the truth or falsity of the
information or
Acts in a reckless disregard of the truth or
falsity of the information.

16
False Claims Act

Penalizes the knowing submission of false or
fraudulent claims to the Unites States
Government.
For each false claim submitted violators are
subject to
civil penalties and
criminal prosecution

17
Qui Tam Suits

A lawsuit filed by a private party against one
or more people or an organization claiming
fraudulent practices against the U.S. Government
Informing the government does not allow the
individual to claim a financial award
Also called whistleblower suit
Any whistleblower is protected
any employee who is discharged, harassed, or
otherwise discriminated against because of lawful
acts
by the employeeunder the Act is entitled to any
relief
necessary to make the employee whole

18
KMC REPORTING HOTLINE

Patient safety issues (non-emergent)
HIPAA privacy security Issues
Quality of Care Issues 326-2665
Compliance Issues
Anonymous calls are OK!
Emergency safety issues dial 5

19
Other Ways to Report

You may contact any of the following
people or organizations directly at any time
Compliance Coordinator Robin Bowe RN
326-2048 (phone), 307-2537 (pager)or
e-mail bower_at_kernmedctr.com
Kern County Compliance Hotline 800-620-6047
California Department of Public Health
(CDPH) 661-336-0543
Federal CMS Hotline 800-447-8477
The Joint Commission
www.complaint_at_jointcommission.org or
630-792-5636 (fax)

20
Your Responsibility

All employees must maintaining the privacy and
security of all documents (paper or electronic
format)
This requirement pertains to all areas of the
hospital and off-site areas (clinics, Home
Health, Sagebrush)
Do not leave PHI in your car or take it home
Know the code of the patient to prevent
inadvertent disclosures (Opted Out Patients and
Publicity Codes)
Faxing Fax to an authorized number and use a fax
cover sheet. Confirm the number before sending
the fax.

21
What You Need to Do

Obtain an authorization from the patient for
release of information
Obtain permission (verbal/written) from the
patient to discuss their care in front of family
or friends.
Document this discussion in the medical record
Do not place PHI on any portable devices
including but not limited to
thumb drives, cell phones, PDAs
Do not share your passwords
Log off the computer you are using

22
Consequences of Non-Compliance

Fines and penalties levied against KMC
Civil penalties for the Hospital and
the employees involved
Criminal sanctions including fines and jail time
Disciplinary action up to an including
termination
Negative image in the community may be a
reflection of any breach

23
What is HIPAA?

Be careful with what others can see
PHI - (paper or electronic)
Be careful of what others can over hear you
saying
Be careful not to talk about patients in public
areas
(nursing station, cafeteria, elevator etc.)

24
Any Questions
25

Post Test

26
All Questions are T or FPlease mark answers
on your scan-tron

Kern Medical Centers Compliance Coordinator and
Privacy Officer is Robin Bowe?
There are new Privacy Rules for the wrong use and
disclosure (sharing) of PHI that are effective
January 2009?

27
T or F?

Kern Medical Centers Compliance Coordinator and
Privacy Officer is Robin Bowe.
There are new Privacy Rules for the inappropriate
(wrong) use (working with) and disclosure
(sharing) of PHI that are effective January 2009.

28
T or F?

Kern Medical Center will be held liable for any
inappropriate release of PHI?
Kern Medical Center must notify the patient and
the California Department of Public Health of an
incident?

29
T or F?

You should double check the fax number before you
send a fax?
Access into a patient file should be related to
those patients that you are taking care of or
have been consulted to see?

30
T or F?

You are not allowed to access the patient file
(paper or electronic) of family and friends?
KMC staff are expected to Abide by the KMC Code
of Conduct and Confidentiality Statement at all
times?

31
T or F?

KMC discourages unethical behavior including
fraud and abuse?
Both KMC and the County of Kern have a hotline to
report fraud and abuse?

Reference Slides

33
HIPAA?

HIPAA The Health Insurance Portability and
Accountability Act
A Federal Law Created in 1996

H I P A A
Health Insurance Portability and
Accountability Act
It is considered the MOST significant healthcare
legislation since Medicare in
1965!!!
Insurance Reform/Coverage
Administrative Simplification
34
Protected Health Information (PHI)

Anything written, oral or electronic that can
identify the patient
Examples
1. Name
2. Medical Record Number
3. Social Security Number
4. Birth date

35
Faxing PHI

Only provide info the receiver needs
Must use fax cover sheet when faxing PHI
Verify number and recipients authority to have
info before sending
Fax machines are located only in secure, attended
places
Dont leave incoming faxes unattended pick them
up right away!
Think is this information secure?

36
ConfidentialityADM-IM-314

Outlines Kern Medical Centers philosophy
regarding privacy and confidentiality
Outlines the following
a. Internet
b. E mail
c. Faxing
d. Messages on answering machines
e. Sanctions Outlines sanctions that will be
applied to employees who fail to comply with the
privacy policy and procedures or the requirements
of HIPAA

37
Confidentiality

Should only access files for which you have the
need to know
When accessing information it should be for the
minimum necessary to carry out job
responsibilities
Access Code Process assist inpatient areas, Same
Day Surgery and Diagnostic Treatment Center in
releasing information

38
Inmates

High Security
a. Restricted Visiting
b. Restricted Calls
c. Restricted Mail
d. Guard (s) at the bedside
Low Security
a. Unrestricted Able to have visitors, mail,
phone calls
b. No guard at the bedside

39
HIPAA Security
40
Privacy is a right, confidentiality is a
condition

And security is a safeguard.
If the SECURITY fails, a breach of
CONFIDENTIALITY occurs, and the PRIVACY of the
individual is invaded

41
IS Security

Password Keep Protected
Log Off IS systems
Audit trail Capability
Need to Know

42
False Claims Act

Federal Legislation ( USC Title 31 3729-37330
Dates back to the Civil War (Lincoln Law)
Allows private persons to sue those who defraud
the government (qui tam)

43
California Fraud Laws

California False Claims Act
Government Code 12650-12656
Mimics federal law
Holds individuals responsible if they knowingly
benefit from a fraudulent claim

44
California Fraud Laws

Welfare Institutions Code
14014, 14107
Penal Code
487, 550
Business and Professions Code
17200, 17500
Government Code
12650

45
California Fraud Laws

Covers a wide variety of actions
Encouraging another to receive healthcare for
which they are not eligible
Knowingly filing a claim for greater compensation
than is eligible
Offering to pay bribes or kickbacks
Purchasing, ordering or leasing services that are
unnecessary or unlawful

46
What Constitutes False Claims?

Knowingly using (or causing to be used) a false
statement or record to conceal, avoid, or
decrease an obligation to pay money or transmit
property to the Federal Government
Conspiring with others to get a false or
fraudulent claim paid by the Federal Government

47
Examples of Fraud

Billing for services never rendered
Billing for more expensive services than were
rendered
Performing medically unnecessary services solely
to acquire insurance payment
Misrepresenting non-covered services as medically
necessary, covered services

48
Qui Tam Suits

Awards may be from 10 30 of the total
recovery from the defendant
Conditions
The extent to which the person contributed to the
prosecution of the action (how much information
was provided)
If the government participates in the lawsuit

49
Your Responsibility

Be aware of hospital policies and procedures
dealing with Fraud and Abuse
Understand how your department addresses
prevention of false claims
Report your concerns

50
Notice of Privacy PracticesADM-RI-625

Outlines how Kern Medical Center may Use and
Disclose Protected Health Information (PHI)
Informs the patient of their rights under HIPAA
for Use and Disclosure of PHI
Patient signs an Acknowledgment Form for Receipt
of Notice of Privacy Practices

51
Notice of Privacy Practices (contd)

Only needs to be signed once unless we change the
Notice
Forensic/Correctional/Custodial patients do not
have the right to the Notice of Privacy Practices
Process in place for Admitting to get it signed
in the event the patient is unable to do so
Quality management tool to monitor compliance
Posted on the Internet in English and Spanish at
www.kernmedicalcenter.com

52
Communications by Alternative MeansADM-RI-626

Patients right to request Kern Medical Center to
send communications of PHI by alternative means
or locations
Example
1)Mail delivered to a different address
2)Phone messages delivered to a friends house

53
Communications by Alternative MeansADM-RI-626

Patients right to request Kern Medical Center to
send communications of PHI by alternative means
or locations
Example
1)Mail delivered to a different address
2)Phone messages delivered to a friends house

54
Verbal Communication

Good judgment is utilized to limit the discussion
of any private or confidential info with
appropriate individuals who require the
information in the normal performance of their
job duties.
Discussion of confidential information is not
permissible in any public area.

55
Permitted Uses and DisclosuresADM-IM-340

Outlines those disclosures that may be made with
and without the authorizations of the patient
Examples
a. Tumor Registry
b. Law Enforcement
c. Organ Donation

56
Designation of Privacy OfficerADM-LD-615

Do you know you Kern Medical Centers Privacy
Officer is?
Answer
Robin Bowe BSN,RNC
Phone326-2048
Pager307-2537
Office2361
Responsible for handling complaints and concerns
regarding privacy and confidentiality

57
Use and Disclosure of PHI Requiring Patient
AuthorizationADM-IM-320

Outlines the steps in having the patient fill out
their authorization form in order for KMC to
disclose their PHI per their request
Available in English and Spanish on the Intranet
under Physician Orders and Forms

58
General Uses and Disclosures of PHIADM-IM-325

Outlines the general rules and regulations for
Use and Disclosure of PHI
a. Who can we release information to?
b. When do you not need a consent?
Example Is it for Treatment, Payment, Health
Care Operations (TPO)
c. Know the definitions located in all policies

59
Minimum Necessary Use and Disclosure of
PHIADM-IM-345

Outlines Kern Medical Centers responsibility to
disclose the minimum amount of PHI to carry out
the intended purposes or intent of the disclosure
Example Disclosure related to this visit or
hospitalization and not something that happened
10 years ago

60
Internet PolicyADM-IM-316

Do you use the Internet?
This policy outlines the guidelines for Internet
use at KMC
Certain Internet sites are automatically block
by Information Systems

61
E MailADM-IM-110

Do you use e mail?
Outlines the employee responsibility in email
usage at KMC
Should be used for business use only and not for
personal use

62
Faxes

Use Discretion limit the information
transmitted by fax to what is minimally necessary
to meet the requesters needs.
Must use fax cover sheet when transmitting
protected health info.
Verify number and the recipients authority
before sending PHI
Fax machines are not to be located in
open/unattended areas.
Do not leave incoming faxes unattended.

63
Maintenance of Computer Access to the Hospital
Information SystemsADM-IM-105

Outlines how employees obtain access to the
Hospital Information Systems
Outlines employee responsibility for Information
Systems
Requires all Employees to sign a Confidentiality
Agreement

64
Media PolicyADM-RI-203

Outlines Kern Medical Centers responsibility for
Use and Disclosure of PHI to the News Media
Employee Responsibility
Refer all phone calls to Public Relations
Monday-Friday during normal business hours and to
the House Supervisor after hours and weekends

65
Abuse Identification of Victims and Reporting
RequirementsADM-RI-601

Kern Medical may disclose Protected Health
Information (PHI) without authorization to a
government authority when the organization
reasonably believes the individual to be a victim
of abuse, neglect, or domestic violence. This is
permitted to the extent the disclosure is
required by law and the disclosure complies with
and is limited to the relevant requirements of
such law

66
MitigationADM-LD-613

Definition To decrease the harmful effects
Example When reviewing how PHI is used at KMC or
once a breech or violation occurs, KMC will take
steps to ensure that the breech will not happen
again.
This is usually done by the development of an
Action Plan with all parties involved

67
Sanctions

Unauthorized access or disclosure of PHI or
violations relating to PHI may result in
disciplinary action up to and including
termination of employment

68
Workforce TrainingADM-LD-617

Outlines how education regarding policies and
procedures occur at KMC
Reviews what may generate educational needs
Example
a. Changes in the Law
b. Change is Standard

69
Record RetentionADM-IM-320

Requires KMC to keep records related to all HIPAA
and Compliance related decisions for a period of
6 years or for the length of time required to
keep the medical record

70
What is the Result of Non Compliance?

The actions address claims for service by
healthcare organizations that were either not
provided or that clearly misrepresented the
treatment actually given to a patient
By contrast now, the government is aggressively
going after cases and allegations of medically
unnecessary or substandard care

71
Educational Process