MODULE 9 - STUDENT Privacy and Information Security 2013

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

66 εμφανίσεις

Regulatory Training

Privacy & Information Security

Learning Objectives

This course will help you comply with privacy, information
security, and identity theft regulations. After completing this
course, you should be able to:



Distinguish between which uses and disclosures of protected
health information are allowed and not allowed under the
HIPAA Privacy Rule.


Recognize
safeguards required to ensure the security and
integrity of electronic protected health information.


Recognize
a security breach under federal or state Identity
Theft Laws.


Identify
where to report concerns regarding these topics
.


Privacy & Information Security

Introduction


As a worker in the health care industry, you are affected by multiple laws and
regulations establishing requirements related to privacy, information security,
and identity theft.


This lesson will:


Provide
an overview of
the HIPAA privacy laws and regulations;


Describe
the organization's responsibilities; and


Describe
your responsibilities at UMass Memorial.


For
more information, including UMass Memorial policies and forms, go to the
Privacy & Information Security website
.

Privacy Rule

This section reviews the Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule.


The Privacy Rule sets the first national standards for protecting the
confidentiality of protected health information (PHI). The goal of the Privacy
Rule is to balance two important aspects of health care:


1.
Protecting the privacy of patients

2.
Allowing flow of health information when needed to:


Ensure high quality health care


Protect public health

What is PHI?

PHI

-

Protected Health Information (PHI) is defined as all individually
identifiable health information created, transmitted, received or maintained by
a covered entity (UMMMC). This includes any information, including
demographics, which identifies or could reasonably identify an individual, their
health/condition, treatment or provision/payment for their health care
.



Identifiable
information includes: name, address, city, county, zip code, names
of relatives, names of employers, birth date, telephone number, fax number, e
-
mail address, social security number, any vehicle or other device serial number,
web URL, Internet Protocol address, finger or voice prints, photographic
images, and any other unique identifying number, characteristic or code.


Examples
of PHI in the Workplace:


Communications
: Switchboard, hallway conversations, dictation, shift
reports, appointment scheduling, telephone conversations and meeting
discussions.


Paper
Documents
: Medical records, prior authorizations, white boards,
clinic reports, shift reports, wristbands, encounter forms, requisitions,
dietary cards, medication
labels
and downtime logs.


Electronic
Documents/Displays
: Claims, computer screens, patient
monitors, identifiable photos, EKG strips, films, test results, e
-
mail, faxes
and electronic files.


What is a Business Associate?

A Business Associate (BA) is a person or organization that uses PHI (including
electronic PHI) to perform a service or function on behalf of UMass Memorial.
Examples include outsourced transcriptionists and coders, billing services,
financial institutions, contracted vendors,
and collection agencies.




Specific
contract language is required with BAs to make certain they will
properly safeguard all PHI.


Managers
involved in the review, approval and authorization of contracts
must ensure the UMass Memorial approved Business Associate Agreement
(BAA) is in place before disclosing PHI to an outside party.


Do
not disclose more than is necessary for the BA to complete the agreed
upon function.


When
in doubt, call the Office of the General Counsel or the Privacy &
Information Security Offices.

Allowable Uses & Disclosures

Without Authorization

Minimum Necessary:


For
all uses/disclosures of PHI under the Privacy Rule, except treatment, we must
only use/disclose the
minimum amount of PHI necessary
.


Workforce
members may only access, use, or disclose records of patients under their
care or related to their job duties. Accessing family members, friends, co
-
workers,
or
others is
not permitted without the
patient's written
authorization
.

In addition to communicating with the patient, the
Privacy Rule allows use
/ disclosure
of
PHI by a covered
entity,
without authorization
, for the purpose of:


Treatment
activities


Payment
activities


Health
care operations activities


De
-
identified
information



Click on each of the links above
to learn
more about each element.


When you have reviewed all four…

click here

to
continue this lesson.


Allowable Uses & Disclosures

The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:


Treatment Activities



PHI may be used/disclosed among providers when two or more
providers:



Provide health care services for a patient


Coordinate health care services for a patient


Manage health care services for a patient


Examples include:


Consultation between providers


Referral from one provider to another

Allowable Uses & Disclosures

The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:


Payment Activities



PHI may be used/disclosed by a health plan to:


Obtain premiums


Determine responsibility for coverage/benefits


Fulfill responsibilities for coverage/benefits


Give or receive payment for health care provided to a patient


PHI may be used/disclosed by a provider to:


Obtain payment for providing care to a patient


Obtain reimbursement for providing care



Allowable Uses & Disclosures

The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:


Health Care Operations



PHI may be used/disclosed when an organization is:


Performing quality assessment and improvement activities


Conducting training, certification and licensing activities


Evaluating provider competency


Conducting or arranging for medical services, audits or legal
services


Performing certain insurance functions


Planning, developing, managing or administering business
activities

Allowable Uses & Disclosures

The Privacy Rule allows use/disclosure of PHI by a covered entity, without
authorization for the purposes of:


De
-
identified Information


Health care information that is stripped of all identifying information
and unique characteristics or codes including:



Name


Address, including:


street address


city


county


zip code


equivalent geocodes


Names of relatives and employers


Birth date


Telephone and fax numbers


E
-
mail addresses


Social security number


Medical record number


Health plan beneficiary number


Account number


Certificate/license number


Any vehicle or other device serial
number


Web URL


Internet Protocol (IP) address


Finger or voice prints


Photographic images


Any other unique identifying number,
characteristic, or code

Click on each of the links above to learn more about each element.


When you have reviewed all ten…

click here

to continue this lesson.


Public health activities


Victims of abuse or neglect


Health care oversight activities


Judicial and administrative proceedings


Law enforcement purposes

(limited disclosure may be permitted)




Decedents


Organ donation


Serious threat to health or
safety


Specialized government function


Workers' compensation




Protected health information may be used, disclosed,
and tracked by authorized members of the workforce in
preparation for disclosure required or permitted by law.
The individual who discloses the information is
responsible for verifying the identification of the
requester through picture identification and/or
reviewing a written request on official letterhead. These
uses/disclosures include:

Allowable Uses & Disclosures

Without Authorization

(When Required or Permitted by Law)

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Public Health Activities



Public health activities authorized by law such as disease prevention/control
(vital statistics including births and deaths, child abuse or neglect, public
health investigation and intervention, communicable diseases, reporting
adverse events, product tracking, work related injuries).

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Victims of Abuse or Neglect



Disclosures about victims of abuse or neglect to authorized government
agencies.

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Health Care Oversight Activities



Health care oversight activities when agencies are looking into the health
care system or government benefits programs, as well as civil and criminal
investigation from health oversight agencies.

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Judicial and Administrative Proceedings


Judicial and administrative proceedings pursuant to a court order or administrative tribunal.
Absent an order of, or a subpoena issued by a court or administrative tribunal, UMMMC
may respond to a subpoena or other lawful process by a party to the proceeding only if the
following are provided: (1) Satisfactory assurances that reasonable efforts have been
made to give the individual whose information has been requested notice of the request; or
(2) Satisfactory assurances that the party seeking such information has made reasonable
efforts to secure a qualified protective order that prohibits disclosure except for stated
purpose and requires return or destruction of information at the end of the litigation or
proceeding, or provides notice to the individual regarding the protective order; (3) Limited
to expressly authorized PHI.

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Law Enforcement


Limited disclosure may be permitted, but is not usually required, for law
enforcement purposes related to crime victims, crime on the premises,
identification of possible criminals pursuant to a court order or warrant, or a
subpoena or summons issued by a judicial officer, state or federal grand
jury subpoena, administrative subpoenas or summons, civil or authorized
investigative demands, or similar process authorized by law (suspect,
fugitive, material witness, or missing person, victim of a crime, emergency
calls or deaths suspected to be related to criminal conduct).

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Information about Decedents (Deceased Patients)


About decedents to coroners, funeral directors, medical examiners to
identify a body, determine cause of death or perform other functions
allowed by law.





Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Organ Procurement Organizations



To organ procurement organizations for cadaveric donation of organs, eyes,
tissues.

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Serious Threat to Health or Safety



To prevent or lessen serious threat to health or safety.

Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Specialized Government Function


For specialized government function such as military and veterans
activities, national security and intelligence, protective services for the
President, medical suitability for Department of State officials, to
correctional institutions if necessary for health and safety.





Protected health information may be used, disclosed, and tracked by authorized
members of the workforce in preparation for disclosure required or permitted by law.
The individual who discloses the information is responsible for verifying the
identification of the requester through picture identification and/or reviewing a written
request on official letterhead. These uses/disclosures include
:



Allowable Uses & Disclosures

Without Authorization

(
When Required or Permitted by Law)

Workers’ Compensation



For workers’ compensation (subject to minimum necessary) and in
accordance with workers’ compensation laws.

Allowable uses and disclosures,
with authorization
, include:



Allowable Uses & Disclosures

With

Authorization


Disclosure to Patient or Authorized
Representative


Minimum Necessary Does Not Apply


Employee as Patient


Authorization for Electronic Access
must
be submitted before accessing your
record


Disclosure to 3rd Parties


Pre
-
Employment


Disability/Life Insurance Application or
Claims


Attorneys/Legal Cases


Research Use Requiring Authorization


Clinical Trials


Marketing


Targeted Fundraising


Informal permission or patient has
the
opportunity to agree or object


Listing a patient's contact information
in the patient hospital directory when
the patient has not opted out


Dispensing a filled prescription to a
patient's family member


Informing a caretaker or a patient's
family of the patient's condition

With allowable uses and disclosures with authorization, the patient has the
opportunity
to agree or object
.


This means
the patient has an opportunity to:


Give
informal permission


Be given a clear chance to either agree or object to the disclosure


If
the patient is not available or able to agree or object, this sort of
use/disclosure is still allowed if the covered entity believes the use/disclosure is
in the best interest of the patient.



Allowable Uses & Disclosures

With

Authorization

Information Security

This section describes several laws and regulations that establish information
security requirements for UMass Memorial.


In general, these laws and regulations require UMass Memorial to ensure the
confidentiality, integrity, and availability of patient data.


This section also describes information security standards contained in the
UMass Memorial Acceptable Use of Electronic Resources Policy that apply to all
UMass Memorial workforce members.

Security Rule Requirements

The HIPAA Security Rule requires UMass Memorial to:



Ensure the confidentiality, integrity, and availability of all electronic
protected health information the covered entity creates, receives,
maintains, or transmits;


Protect against any reasonably anticipated threats or hazards to the security
or integrity of such information;


Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required; and


Ensure compliance by UMass Memorial’s workforce.

Acceptable Use

UMass Memorial's Acceptable Use of Electronic Resources Policy defines the
"acceptable use" of electronic resources, including software, hardware devices
and network systems. Included in the policy are standards for:



Remote Access/Working at Home;


Wireless and Mobile Computing Devices;


Internet Use and Standards; and


Workstation Use and Security and E
-
mail security.


Click to access the Acceptable Use of Electronic Resources policy.

Your Responsibilities

Your security responsibilities include:




Secure E
-
mail

-

Always use secured
messaging when sending e
-
mails containing
confidential information outside the UMass
Memorial network. To encrypt an e
-
mail,
type the word “secure” in the subject line.
Be certain to always double
-
check all “to”
and “cc” fields prior to sending any e
-
mails.


E
-
mail abuse


Do not send any information
that you would not want to see in your
personnel file.


Internet abuse



Do not post any
confidential information to an internet site
(i.e., Facebook, MySpace, Twitter).


Lock your workstatio
n
-

When leaving your
workstation, always lock the workstation by
pushing Ctrl
-
Alt
-
Delete keys and then
pressing Enter or logout.


Never share your username and
password
.
These represent your unique
identity and access to key
systems/applications.


Protect mobile devices
when traveling
-

never leave unattended. Devices such as
laptops and smartphones are easily lost
or stolen.


Shred

copies of confidential paper
documents or
place in secured disposal
consoles.


Identify & report security violations

to
your manager and the Privacy and
Information Security Offices.


Wear your
ID badge
and challenge
unknown people in your work area
without an ID.

Identity Theft:

FTC Red Flags

The Federal Trade Commission (FTC), along with other federal
bank
regulatory
agencies,
issued the Red Flags Rules which require financial
institutions and creditors to develop, implement, and document
identity theft prevention programs
.

Red
Flags are patterns, practices, or specific activities that could
indicate identity theft.

Examples include:


A complaint or question from a patient based on the patient’s
receipt of a bill for a product or service that the patient denies
receiving; or



Records
showing medical treatment that is inconsistent with a
physical examination, or with a medical history as reported by
the patient; or



A
patient or insurance company report that coverage for
legitimate hospital stays is denied because insurance benefits
have been depleted or a lifetime cap has been reached; or



A
patient who has an insurance number but never produces an
insurance card or other physical documentation of insurance.


Identity Theft:

Program Requirements


UMass
Memorial is required to protect patients and
workforce members through the establishment of a
written program dedicated to preventing, detecting, and
responding to potential and actual identity theft.


Program Requirements include:


Identifying
relevant Red Flags for the covered accounts
that UMass Memorial offers or maintains, as well as
the Red Flags for the personally identifiable
information of UMass Memorial’s workforce members;


Detecting
Red Flags indicating potential or actual
identity theft;


Responding
appropriately to any Red Flags that are
detected; and


Updating
the program periodically to reflect changes to
the risk of patient and workforce member identity
theft.

Click
to access the Policy to Prevent, Detect, and Address
Identity Theft.






Identity Theft
-

Massachusetts Data

Security Regulations

Similar to the Federal Red Flags Rules, Massachusetts has
laws related to the security of personal
information
including:



Establish
requirements for notification to state government
and consumers in the event of a data security breach,


Establish a consumer’s right to request a security freeze and


Establish requirements for destruction and disposal of records
containing a consumer’s personal information.


Personal information is a
Massachusetts
resident's first and
last name, or first initial and last name combined
with:



SSN
, or


Driver's
license number or state issued ID #, or


Credit/debit
card number or bank account number

Identity Theft
-

Massachusetts Data

Security Regulations


A data security breach is the unauthorized
acquisition or unauthorized use of personal
information that creates a substantial risk of
identity theft or fraud against a resident of the
Commonwealth of Massachusetts.


Personal information can be found in many areas
such as HR, Payroll, Billing Offices, Finance,
Registration and treatment areas.


The Massachusetts ID Theft Law requires proper
disposal of personal information by either
redacting, burning, pulverizing or shredding so
that the data cannot be read or reconstructed.


Use locked disposal bins and consoles to dispose
of any personal information no longer needed, or
use a department shredder if one is available.


Any breach involving personal information must
be reported to the Privacy & Information Security
Office so appropriate individuals and agencies may
be notified.

Penalties for Violations

Penalties for Privacy & Information Security Violations


External
Agency Enforcement (OCR, DOJ, OIG)


Civil
and criminal penalties will be applied to covered entities and individuals as
determined by these agencies for inappropriate disclosure of PHI.


UMass
Memorial Corrective Action Enforcement


Violations
of UMass Memorial policies causing privacy or information security
breaches
are likely to result in termination of employment or contracted service.


Examples
of
Breaches:


Discussing
or leaving PHI in a public area; leaving a computer unattended in an accessible
area with PHI
unsecured; leaving your password visible on or near your computer


Unauthorized
access , which includes
requesting another individual to access your
medical record; looking up family, friend, or co
-
worker information; using someone else’s
user ID &
password;
posting pictures of patients or procedures to social networking
sites


Obtaining
information to use in a personal relationship; obtaining PHI for a pending legal
case


Loss or unauthorized destruction of confidential information



Questions and Complaints

Patients or workforce members who wish to file a complaint about alleged
privacy violations or information security incidents have the following reporting
options available:



Notify your supervisor or manager



Call the Privacy & Information Security Hotline with any questions or
suspected violations
:
508
-
334
-
5551




E
-
mail
the Privacy & Information Security
Offices at:

PrivacyandSecurity@umassmemorial.org




File
a complaint with the Department of Health & Human Services (DHHS)