ROLES & RESPONSIBILITIES. DHS Privacy Officer & DISO ▪ Direct and implement DHS Privacy and Information Security policies and procedures ▪ Direct Privacy and Security Training and Awareness Activities ▪ Ensure compliance with all laws, rules, regulations and standards related to the privacy and security of patient and other confidential or sensitive information Facility Privacy Coordinator & FISC ▪ Receive, investigate, and report privacy and security complaints or suspected violations ▪ Coordinate the development, implementation and maintenance of specific privacy and security policies and procedures ▪ Monitor the effectiveness of the Patient Privacy & Information Security Program within their facility ▪ Provide facility/area specific training The name and contact information for the Facility Privacy Coordinator and Information Security Coordinator is listed in your facility orientation/re-orientation handbook. The Health Insurance Portability and Accountability Act of 1996 or HIPAA is a federal law designed to protect confidential patient information known as protected health information, or PHI. HIPAA requires DHS’ healthcare facilities to institute safeguards to protect patient information. Technological advances in the healthcare industry such as electronic transactions and electronic medical records required changes in law to protect the personal health and financial information contained in those records and to provide patients’ rights regarding the use of those records. HIPAA: • Provides patients with rights regarding the use and disclosure of their PHI • Requires DHS and its workforce to take reasonable safeguards to protect the privacy of patient information. • Requires uses and disclosures of most PHI to be authorized (unless related to treatment, payment, or healthcare operations, or permitted by law or applicable regulation). • Imposes penalties for violations of the law. HIPAA has three components: the Privacy Rule, the Security Rule, and Transactions and Code Sets. This study guide focuses on the Privacy and Security Rules. The rules for Transactions and Code Sets govern healthcare transactions, diagnoses and procedure codes, which are covered in specialized unit-based training for workforce members in billing, claims and coding of medical records. The Privacy Rule protects health information in all forms, including: • Written • Oral • Electronic (ePHI) • All other forms of communication (e.g., recorded information such as photographs or videos, filming or other recording of patients or PHI). The Security Rule protects ePHI (electronic protected health information). The Omnibus Rule (Rule) came about as a result of changes to several federal laws and strengthens the privacy and security protections for health information under HIPAA. The Rule enhances a patient’s privacy protections, provides individuals with new rights regarding their personal health information, and strengthens the government’s ability to enforce the law. The Rule became effective on March 26, 2013 and DHS must comply with the provisions by September 23, 2013. The Omnibus related modifications to the Privacy and Security rules include: • Makes business associates that work with DHS directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. • Expands a patient’s right to receive an electronic copy of their health information. • Restricts DHS from letting a health plan such as Medicare, Medi-Cal, or an insurance company know about treatment the patient paid for in full out of pocket. • Requires DHS to make changes to and re-distribute the Notice of Privacy Practices. • Makes changes to rules that require patient authorizations and other requirements regarding research. • Makes changes to rules regarding disclosure of child immunization information to schools. • Makes changes to rules regarding access to decedent information by family members and others. • Incorporates the increased and tiered civil money penalty structure provided by the HITECH Act. • Prohibits most health plans from using or disclosing genetic information for underwriting purposes in accordance with the Genetic Information Nondiscrimination Act (▇▇▇▇). • Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibits the sale of PHI without individual authorization. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) includes additional HIPAA enforcement provisions to ensure the privacy and security of electronic health records. The HITECH Act: • Requires notification to U.S. Department of Health and Human Services (HHS) and individuals affected by a breach of unsecured PHI (PHI that was not encrypted, shredded, destroyed, wiped clean or sanitized). • Provides for additional patient privacy rights • Prohibits the sale and marketing of PHI • Increases fines and penalties for violations. • Strengthens enforcement measures. Before the Federal HIPAA law was adopted, California already had patient information privacy laws, such as the Confidentiality of Medical Information Act (CMIA), and the Patient Access to Health Records Act (PAHRA). With the disclosure of several high profile patients’ health information, such as in the instances of ▇▇▇▇▇ ▇▇▇▇▇▇▇ (former gubernatorial first lady) and performers ▇▇▇▇▇▇ ▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, several new laws were implemented to prevent unauthorized viewing, selling, or disclosure of patient information and to strengthen enforcement measures. The California Department of Public Health investigates licensed healthcare facilities and programs when alleged privacy breaches are reported and may fine the licensee if determined that unauthorized and/or inappropriate access or viewing of patient medical information without direct need-to-know occurred. Licensed healthcare facilities and programs are obligated to notify the patient and report privacy breaches within five business days from when the breach was detected. The California Office of Health Information Integrity (Cal OHII) was created to investigate individuals and hold them accountable if they are involved in a privacy breach and can impose fines on the individual for negligent and unlawful disclosures of patient information. They can also report this information to an individual’s license, certificate, registration, or permit issuing board or agency for disciplinary action. While HIPAA and California law generally provide the same protections for patient information, some disclosures of patient information allowed under HIPAA are not allowed under California law. In some cases, California law provides greater patient protections and should be followed.
Appears in 2 contracts
Sources: Acceptable Use and Confidentiality Agreement, Agreement for Acceptable Use and Confidentiality
ROLES & RESPONSIBILITIES. DHS Privacy Officer & DISO ▪ Direct and implement DHS Privacy and Information Security policies and procedures ▪ Direct Privacy and Security Training and Awareness Activities ▪ Ensure compliance with all laws, rules, regulations and standards related to the privacy and security of patient and other confidential or sensitive information Facility Privacy Coordinator & FISC ▪ Receive, investigate, and report privacy and security complaints or suspected violations ▪ Coordinate the development, implementation and maintenance of specific privacy and security policies and procedures ▪ Monitor the effectiveness of the Patient Privacy & Information Security Program within their facility ▪ Provide facility/area specific training The name and contact information for the Facility Privacy Coordinator and Information Security Coordinator is listed in your facility orientation/re-orientation handbook. The Health Insurance Portability and Accountability Act of 1996 or HIPAA is a federal law designed to protect confidential patient information known as protected health information, or PHI. HIPAA requires DHS’ healthcare facilities to institute safeguards to protect patient information. Technological advances in the healthcare industry such as electronic transactions and electronic medical records required changes in law to protect the personal health and financial information contained in those records and to provide patients’ rights regarding the use of those records. HIPAA: • Provides patients with rights regarding the use and disclosure of their PHI • Requires DHS and its workforce to take reasonable safeguards to protect the privacy of patient information. • Requires uses and disclosures of most PHI to be authorized (unless related to treatment, payment, or healthcare operations, or permitted by law or applicable regulation). • Imposes penalties for violations of the law. HIPAA has three components: the Privacy Rule, the Security Rule, and Transactions and Code Sets. This study guide focuses on the Privacy and Security Rules. The rules for Transactions and Code Sets govern healthcare transactions, diagnoses and procedure codes, which are covered in specialized unit-based training for workforce members in billing, claims and coding of medical records. The Privacy Rule protects health information in all forms, including: • Written • Oral • Electronic (ePHI) • All other forms of communication (e.g., recorded information such as photographs or videos, filming or other recording of patients or PHI). The Security Rule protects ePHI (electronic protected health information). The Omnibus Rule (Rule) came about as a result of changes to several federal laws and strengthens the privacy and security protections for health information under HIPAA. The Rule enhances a patient’s privacy protections, provides individuals with new rights regarding their personal health information, and strengthens the government’s ability to enforce the law. The Rule became effective on March 26, 2013 and DHS must comply with the provisions by September 23, 2013. The Omnibus related modifications to the Privacy and Security rules include: • Makes business associates that work with DHS directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. • Expands a patient’s right to receive an electronic copy of their health information. • Restricts DHS from letting a health plan such as Medicare, Medi-Cal, or an insurance company know about treatment the patient paid for in full out of pocket. • Requires DHS to make changes to and re-distribute the Notice of Privacy Practices. • Makes changes to rules that require patient authorizations and other requirements regarding research. • Makes changes to rules regarding disclosure of child immunization information to schools. • Makes changes to rules regarding access to decedent information by family members and others. • Incorporates the increased and tiered civil money penalty structure provided by the HITECH Act. • Prohibits most health plans from using or disclosing genetic information for underwriting purposes in accordance with the Genetic Information Nondiscrimination Act (▇▇▇▇). • Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibits the sale of PHI without individual authorization. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) includes additional HIPAA enforcement provisions to ensure the privacy and security of electronic health records. The HITECH Act: • Requires notification to U.S. Department of Health and Human Services (HHS) and individuals affected by a breach of unsecured PHI (PHI that was not encrypted, shredded, destroyed, wiped clean or sanitized). • Provides for additional patient privacy rights • Prohibits the sale and marketing of PHI • Increases fines and penalties for violations. • Strengthens enforcement measures. Before the Federal HIPAA law was adopted, California already had patient information privacy laws, such as the Confidentiality of Medical Information Act (CMIA), and the Patient Access to Health Records Act (PAHRA). With the disclosure of several high profile patients’ health information, such as in the instances of ▇▇▇▇▇ ▇▇▇▇▇▇▇ (former gubernatorial first lady) and performers ▇▇▇▇▇▇ ▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, several new laws were implemented to prevent unauthorized viewing, selling, or disclosure of patient information and to strengthen enforcement measures. The California Department of Public Health investigates licensed healthcare facilities and programs when alleged privacy breaches are reported and may fine the licensee if determined that unauthorized and/or inappropriate access or viewing of patient medical information without direct need-to-know occurred. Licensed healthcare facilities and programs are obligated to notify the patient and report privacy breaches within five business days from when the breach was detected. The California Office of Health Information Integrity (Cal OHII) was created to investigate individuals and hold them accountable if they are involved in a privacy breach and can impose fines on the individual for negligent and unlawful disclosures of patient information. They can also report this information to an individual’s license, certificate, registration, or permit issuing board or agency for disciplinary action. While HIPAA and California law generally provide the same protections for patient information, some disclosures of patient information allowed under HIPAA are not allowed under California law. In some cases, California law provides greater patient protections and should be followed. The Joint Commission (TJC) and Centers for Medicare and Medicaid Services (CMS) standards also require DHS facilities to maintain the privacy and security of patient information. Failure to maintain the confidentiality of patient information can lead to significant fines and can also affect the accreditation and reimbursement for patient care services at our facilities.
Appears in 1 contract