GURUJODHA KHALSA,

1
2010 Annual Review HIPAA Privacy,
Security and Compliance

• GURUJODHA KHALSA,
• DEPUTY COUNTY COUNSEL, CHC
• ROBIN BOWE, BSN, RN, C, CHC
• COMPLIANCE COORDINATOR
• PRIVACY OFFICER
• RISK MANAGER
• Rev. 10/10

2
2010 Regulatory Changes

• Changes in the legal and regulatory environment
• Changes in the delivery and payment of healthcare
  costs.
• Changes in the privacy and security of Protected
  Health Information (PHI)

3
HIPAA Privacy Rule Changesfor 2010

• Health Information Technology for
• Clinical Health Act (HITECH)
• Signed into law as part of the American Recovery
  and Reinvestment Act of 2009
• Major changes include
• Applies the HIPAA Privacy and Security Standards
  to Business Associates
• Establishes Federal reporting requirements for
  privacy breaches

4
HIPAA Privacy Rule Changefor 2010

• Established new criminal and civil penalties for
• non-compliance and new enforcement
  responsibilities
• New Patient Privacy Rights to include
• KMC must agree to a patients request for
  restriction of their health record for purpose of
  payment or healthcare operations
• Patients may request a copy of their medical
  record electronically once an Electronic Medical
  record is in place
• New restrictions on the use/disclosure of PHI
  for marketing and fundraising

5
Unauthorized Verbal Disclosureand HIPAA

• Use good judgment - limit the conversation of any
  private or confidential info to people who
  require the information in the normal performance
  of their job duties.
• Discussion of confidential information is not
  permitted in a public area(for example the
  cafeteria or the elevator).
• Be aware of your environment BEFORE you speak.
• (think who might be able to hear me?)

6
Unauthorized Written or Electronic Disclosure
and HIPAA

• Keep all documents secure (clipboard, locker or
  cubicle)
• KMC Staff/Medical Students or other persons
  assigned to KMC
• not allowed to take PHI off Kern Medical Center
  campus
• Shred all PHI that is not used at the end of the
  day
• gray shred bins
• Double check your documents (immunization records
  or other paperwork) have correct patient name
  labeled and are given to the correct patient
• Use a fax cover sheet for all faxes
• Double check the fax number before pressing send
  on a fax
• (PHI)-Patient Health Information

7
HIPAA Security

• KMC is required to establish policies and
  procedures
• assuring compliance with the HIPAA Security
  Standards
• Overall objective - maintain the privacy and
  confidentiality of information
• Requires initial and ongoing training

8
HIPAA Technical Safeguards

• Designed policies , procedures, and processes to
  protect, control and monitor information
• Designed to control access and assure appropriate
  consent and audit control
• Designed to prevent unauthorized access

9
HIPPA Administrative Safeguards

• KMC is required to have
• A Privacy Officer
• Contracts with Business Associates
• Policies and procedures in place

10
HIPAA Physical Safeguards

• All KMC staff that maintain PHI are required to
• Secure PHI in locked file cabinets
• Assure at all times
• doors are locked where PHI is maintained
• computer screens cannot be seen by the public
• Fax machines are secure

11
Unauthorized Access to Information Systems

• Access that is not allowed to computerized
  academic or administrative records or systems
  viewing or altering computer records, modifying
  computer programs or systems, releasing or
  dispensing information gained via unauthorized
  access, or interfering with the use or
  availability of computer systems or information.
• (45 CFR 164.312(a)(1) Access Controls)

12
Computer Access

• Access is granted by the Department Chairman,
  Manager or Supervisor for
• KMC paper and electronic record (need to know
  basis)
• By job description or job responsibilities.
• Employees are mandated to keep passwords secure
  and to log off computer systems.

13
Deficit Reduction Act

• What Federal Programs are affected?
• Medicare
• Medi-Cal
• Any other federally funded contract or program
• Examples at KMC
• CDPH at Sagebrush
• CPS at OB/GYN Clinic
• CDPH-California Dept. of Public Health
• CPS-Child Protective Services

14
Compliance

• Remember..
• Understand, follow and implement applicable KMC
  policies and procedures on behalf of the patient
  and their family.

15
Compliance False Claims

• An individual who files a false claim for the
  payment of health care services and
• Has actual knowledge that information on a claim
  is false or
• Deliberately
• Acts ignorant of the truth or falsity of the
  information or
• Acts in a reckless disregard of the truth or
  falsity of the information.

16
False Claims Act

• Penalizes the knowing submission of false or
  fraudulent claims to the Unites States
  Government.
• For each false claim submitted violators are
  subject to
• civil penalties and
• criminal prosecution

17
Qui Tam Suits

• A lawsuit filed by a private party against one
  or more people or an organization claiming
  fraudulent practices against the U.S. Government
• Informing the government does not allow the
  individual to claim a financial award
• Also called whistleblower suit
• Any whistleblower is protected
• any employee who is discharged, harassed, or
• otherwise discriminated against because of lawful
  acts
• by the employeeunder the Act is entitled to any
  relief
• necessary to make the employee whole

18
KMC REPORTING HOTLINE

• Patient safety issues (non-emergent)
• HIPAA privacy security Issues
• Quality of Care Issues 326-2665
• Compliance Issues
• Anonymous calls are OK!
• Emergency safety issues dial 5

19
Other Ways to Report

• You may contact any of the following
• people or organizations directly at any time
• Compliance Coordinator Robin Bowe RN
• 326-2048 (phone), 307-2537 (pager)or
• e-mail bower_at_kernmedctr.com
• Kern County Compliance Hotline 800-620-6047
• California Department of Public Health
• (CDPH) 661-336-0543
• Federal CMS Hotline 800-447-8477
• The Joint Commission
• www.complaint_at_jointcommission.org or
  630-792-5636 (fax)

20
Your Responsibility

• All employees must maintaining the privacy and
  security of all documents (paper or electronic
  format)
• This requirement pertains to all areas of the
  hospital and off-site areas (clinics, Home
  Health, Sagebrush)
• Do not leave PHI in your car or take it home
• Know the code of the patient to prevent
  inadvertent disclosures (Opted Out Patients and
  Publicity Codes)
• Faxing Fax to an authorized number and use a fax
  cover sheet. Confirm the number before sending
  the fax.

21
What You Need to Do

• Obtain an authorization from the patient for
  release of information
• Obtain permission (verbal/written) from the
  patient to discuss their care in front of family
  or friends.
• Document this discussion in the medical record
• Do not place PHI on any portable devices
  including but not limited to
• thumb drives, cell phones, PDAs
• Do not share your passwords
• Log off the computer you are using

22
Consequences of Non-Compliance

• Fines and penalties levied against KMC
• Civil penalties for the Hospital and
• the employees involved
• Criminal sanctions including fines and jail time
• Disciplinary action up to an including
  termination
• Negative image in the community may be a
  reflection of any breach

23
What is HIPAA?

• Be careful with what others can see
• PHI - (paper or electronic)
• Be careful of what others can over hear you
  saying
• Be careful not to talk about patients in public
  areas
• (nursing station, cafeteria, elevator etc.)

24
Any Questions
25

• Post Test

26
All Questions are T or FPlease mark answers
on your scan-tron

• Kern Medical Centers Compliance Coordinator and
  Privacy Officer is Robin Bowe?
• There are new Privacy Rules for the wrong use and
  disclosure (sharing) of PHI that are effective
  January 2009?

27
T or F?

• Kern Medical Centers Compliance Coordinator and
  Privacy Officer is Robin Bowe.
• There are new Privacy Rules for the inappropriate
  (wrong) use (working with) and disclosure
  (sharing) of PHI that are effective January 2009.

28
T or F?

• Kern Medical Center will be held liable for any
  inappropriate release of PHI?
• Kern Medical Center must notify the patient and
  the California Department of Public Health of an
  incident?

29
T or F?

• You should double check the fax number before you
  send a fax?
• Access into a patient file should be related to
  those patients that you are taking care of or
  have been consulted to see?

30
T or F?

• You are not allowed to access the patient file
  (paper or electronic) of family and friends?
• KMC staff are expected to Abide by the KMC Code
  of Conduct and Confidentiality Statement at all
  times?

31
T or F?

• KMC discourages unethical behavior including
  fraud and abuse?
• Both KMC and the County of Kern have a hotline to
  report fraud and abuse?

32

• Reference Slides

33
HIPAA?

• HIPAA The Health Insurance Portability and
  Accountability Act
• A Federal Law Created in 1996

H I P A A
Health Insurance Portability and
Accountability Act
It is considered the MOST significant healthcare
legislation since Medicare in
1965!!!
Insurance Reform/Coverage
Administrative Simplification
34
Protected Health Information (PHI)

• Anything written, oral or electronic that can
  identify the patient
• Examples
• 1. Name
• 2. Medical Record Number
• 3. Social Security Number
• 4. Birth date

35
Faxing PHI

• Only provide info the receiver needs
• Must use fax cover sheet when faxing PHI
• Verify number and recipients authority to have
  info before sending
• Fax machines are located only in secure, attended
  places
• Dont leave incoming faxes unattended pick them
  up right away!
• Think is this information secure?

36
ConfidentialityADM-IM-314

• Outlines Kern Medical Centers philosophy
  regarding privacy and confidentiality
• Outlines the following
• a. Internet
• b. E mail
• c. Faxing
• d. Messages on answering machines
• e. Sanctions Outlines sanctions that will be
  applied to employees who fail to comply with the
  privacy policy and procedures or the requirements
  of HIPAA

37
Confidentiality

• Should only access files for which you have the
  need to know
• When accessing information it should be for the
  minimum necessary to carry out job
  responsibilities
• Access Code Process assist inpatient areas, Same
  Day Surgery and Diagnostic Treatment Center in
  releasing information

38
Inmates

• High Security
• a. Restricted Visiting
• b. Restricted Calls
• c. Restricted Mail
• d. Guard (s) at the bedside
• Low Security
• a. Unrestricted Able to have visitors, mail,
  phone calls
• b. No guard at the bedside

39
HIPAA Security
40
Privacy is a right, confidentiality is a
condition

• And security is a safeguard.
• If the SECURITY fails, a breach of
  CONFIDENTIALITY occurs, and the PRIVACY of the
  individual is invaded

41
IS Security

• Password Keep Protected
• Log Off IS systems
• Audit trail Capability
• Need to Know

42
False Claims Act

• Federal Legislation ( USC Title 31 3729-37330
• Dates back to the Civil War (Lincoln Law)
• Allows private persons to sue those who defraud
  the government (qui tam)

43
California Fraud Laws

• California False Claims Act
• Government Code 12650-12656
• Mimics federal law
• Holds individuals responsible if they knowingly
  benefit from a fraudulent claim

44
California Fraud Laws

• Welfare Institutions Code
• 14014, 14107
• Penal Code
• 487, 550
• Business and Professions Code
• 17200, 17500
• Government Code
• 12650

45
California Fraud Laws

• Covers a wide variety of actions
• Encouraging another to receive healthcare for
  which they are not eligible
• Knowingly filing a claim for greater compensation
  than is eligible
• Offering to pay bribes or kickbacks
• Purchasing, ordering or leasing services that are
  unnecessary or unlawful

46
What Constitutes False Claims?

• Knowingly using (or causing to be used) a false
  statement or record to conceal, avoid, or
  decrease an obligation to pay money or transmit
  property to the Federal Government
• Conspiring with others to get a false or
  fraudulent claim paid by the Federal Government

47
Examples of Fraud

• Billing for services never rendered
• Billing for more expensive services than were
  rendered
• Performing medically unnecessary services solely
  to acquire insurance payment
• Misrepresenting non-covered services as medically
  necessary, covered services

48
Qui Tam Suits

• Awards may be from 10 30 of the total
  recovery from the defendant
• Conditions
• The extent to which the person contributed to the
  prosecution of the action (how much information
  was provided)
• If the government participates in the lawsuit

49
Your Responsibility

• Be aware of hospital policies and procedures
  dealing with Fraud and Abuse
• Understand how your department addresses
  prevention of false claims
• Report your concerns

50
Notice of Privacy PracticesADM-RI-625

• Outlines how Kern Medical Center may Use and
  Disclose Protected Health Information (PHI)
• Informs the patient of their rights under HIPAA
  for Use and Disclosure of PHI
• Patient signs an Acknowledgment Form for Receipt
  of Notice of Privacy Practices

51
Notice of Privacy Practices (contd)

• Only needs to be signed once unless we change the
  Notice
• Forensic/Correctional/Custodial patients do not
  have the right to the Notice of Privacy Practices
• Process in place for Admitting to get it signed
  in the event the patient is unable to do so
• Quality management tool to monitor compliance
• Posted on the Internet in English and Spanish at
  www.kernmedicalcenter.com

52
Communications by Alternative MeansADM-RI-626

• Patients right to request Kern Medical Center to
  send communications of PHI by alternative means
  or locations
• Example
• 1)Mail delivered to a different address
• 2)Phone messages delivered to a friends house

53
Communications by Alternative MeansADM-RI-626

• Patients right to request Kern Medical Center to
  send communications of PHI by alternative means
  or locations
• Example
• 1)Mail delivered to a different address
• 2)Phone messages delivered to a friends house

54
Verbal Communication

• Good judgment is utilized to limit the discussion
  of any private or confidential info with
  appropriate individuals who require the
  information in the normal performance of their
  job duties.
• Discussion of confidential information is not
  permissible in any public area.

55
Permitted Uses and DisclosuresADM-IM-340

• Outlines those disclosures that may be made with
  and without the authorizations of the patient
• Examples
• a. Tumor Registry
• b. Law Enforcement
• c. Organ Donation

56
Designation of Privacy OfficerADM-LD-615

• Do you know you Kern Medical Centers Privacy
  Officer is?
• Answer
• Robin Bowe BSN,RNC
• Phone326-2048
• Pager307-2537
• Office2361
• Responsible for handling complaints and concerns
  regarding privacy and confidentiality

57
Use and Disclosure of PHI Requiring Patient
AuthorizationADM-IM-320

• Outlines the steps in having the patient fill out
  their authorization form in order for KMC to
  disclose their PHI per their request
• Available in English and Spanish on the Intranet
  under Physician Orders and Forms

58
General Uses and Disclosures of PHIADM-IM-325

• Outlines the general rules and regulations for
  Use and Disclosure of PHI
• a. Who can we release information to?
• b. When do you not need a consent?
• Example Is it for Treatment, Payment, Health
  Care Operations (TPO)
• c. Know the definitions located in all policies

59
Minimum Necessary Use and Disclosure of
PHIADM-IM-345

• Outlines Kern Medical Centers responsibility to
  disclose the minimum amount of PHI to carry out
  the intended purposes or intent of the disclosure
• Example Disclosure related to this visit or
  hospitalization and not something that happened
  10 years ago

60
Internet PolicyADM-IM-316

• Do you use the Internet?
• This policy outlines the guidelines for Internet
  use at KMC
• Certain Internet sites are automatically block
  by Information Systems

61
E MailADM-IM-110

• Do you use e mail?
• Outlines the employee responsibility in email
  usage at KMC
• Should be used for business use only and not for
  personal use

62
Faxes

• Use Discretion limit the information
  transmitted by fax to what is minimally necessary
  to meet the requesters needs.
• Must use fax cover sheet when transmitting
  protected health info.
• Verify number and the recipients authority
  before sending PHI
• Fax machines are not to be located in
  open/unattended areas.
• Do not leave incoming faxes unattended.

63
Maintenance of Computer Access to the Hospital
Information SystemsADM-IM-105

• Outlines how employees obtain access to the
  Hospital Information Systems
• Outlines employee responsibility for Information
  Systems
• Requires all Employees to sign a Confidentiality
  Agreement

64
Media PolicyADM-RI-203

• Outlines Kern Medical Centers responsibility for
  Use and Disclosure of PHI to the News Media
• Employee Responsibility
• Refer all phone calls to Public Relations
  Monday-Friday during normal business hours and to
  the House Supervisor after hours and weekends

65
Abuse Identification of Victims and Reporting
RequirementsADM-RI-601

• Kern Medical may disclose Protected Health
  Information (PHI) without authorization to a
  government authority when the organization
  reasonably believes the individual to be a victim
  of abuse, neglect, or domestic violence. This is
  permitted to the extent the disclosure is
  required by law and the disclosure complies with
  and is limited to the relevant requirements of
  such law

66
MitigationADM-LD-613

• Definition To decrease the harmful effects
• Example When reviewing how PHI is used at KMC or
  once a breech or violation occurs, KMC will take
  steps to ensure that the breech will not happen
  again.
• This is usually done by the development of an
  Action Plan with all parties involved

67
Sanctions

• Unauthorized access or disclosure of PHI or
  violations relating to PHI may result in
  disciplinary action up to and including
  termination of employment

68
Workforce TrainingADM-LD-617

• Outlines how education regarding policies and
  procedures occur at KMC
• Reviews what may generate educational needs
• Example
• a. Changes in the Law
• b. Change is Standard

69
Record RetentionADM-IM-320

• Requires KMC to keep records related to all HIPAA
  and Compliance related decisions for a period of
  6 years or for the length of time required to
  keep the medical record

70
What is the Result of Non Compliance?

• The actions address claims for service by
  healthcare organizations that were either not
  provided or that clearly misrepresented the
  treatment actually given to a patient
• By contrast now, the government is aggressively
  going after cases and allegations of medically
  unnecessary or substandard care

71
Educational Process

• Education will be on the Intranet
• Complete the Power Point Presentation
• Complete Post Test
• Mark your answers on a Scan Tron
• Sign a Blue Educational Sheet with your DCPOS
  number
• Turn all documents into your Manager

72
HIPAA News

• Web Page on the Intranet
• Educational requirements for HIPAA will be placed
  here
• Links and other related websites can be accessed
  here
• Articles about HIPAA can be viewed here
• Criminal convictions related to HIPAA will be
  posted here