New Document

HIPAA Compliance

Policy

The agency has implemented a plan to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). This act was implemented for the purpose of administrative simplification. The Act focuses on three areas: standardization, security and privacy.

The agency will utilize uniform coding and record formats for all payer types when performing electronic transactions to process health care claims as of October 16, 2003. Electronic transactions that are involved include: health care claims, health claims attachments, health plan eligibility, health care payments and remittance advice, health plan premium payments, health plan enrollment and disenrollment, health care claim status, referral certification and authorizations.

Security of confidential health information is a priority for all staff members and business associates. The agency's Information Systems Specialist will perform an initial security risk assessment to identify threats, electronic capabilities, safeguards, and weaknesses in the agency's system security. This gap assessment will be updated annually and submitted to the HIPAA Compliance Officer and the Risk Management Committee for action to address weaknesses. Electronic transactions will be encrypted to avoid loss or misdirection of confidential information.

Privacy of individually identifiable health information must be ensured whether the data is in oral, written and electronic format. Information is to be protected from disclosure to employers, neighbors, government officials, and others without the individual's authorization. The release of PHI in routine disclosures should be limited to the minimum necessary to achieve the purpose and perform functions. The agency is required to disclose protected health information (PHI) to the individual patient and the secretary of the Division of Health and Human Services. The use or disclosure of PHI may also occur as required by law, for public health activities, about victims of abuse, neglect, or domestic violence, health oversight activities, for judicial and administrative proceedings, about decedents, for specialized government functions, to comply with worker's compensation laws, and for law enforcement purposes.

The patient has a right to receive the agency's Privacy Notice regarding Newborn Nurses/NBN Infusions Privacy Practices (see attachment Privacy Notice), access to review their PHI, the ability to amend non-factual medical record data, receive accountings of PHI disclosures, request special privacy protection, and to complain about breaches of privacy. The agency will obtain the patient's written acknowledgement on the Service Agreement form that notes the receipt of the Privacy Notice. Patients have a right to request access to their record, and must be responded to within thirty (30) days.

Procedures

Standardization

Standard electronic transactions to process health care claims will be implemented by the agency staff as of October 16, 2003. Multiple forms used by different insurers will be abolished such as the UB-92 and HCFA-1500. The standard code sets are listed in section 162.1000 of the Final Rule Federal Register 50312 published 50312, on August 17, 2000. The ICD-9 Vol. 1 & 2 will be utilized for diseases, injuries, impairments, causes and other health problems. The ICD-9 Vol. 2 will be used for procedures and other actions. HCPCS and CPT codes will be used for physician and other health care services such as labs, medical supplies, and durable medical supplies. The National Drug Codes (NDC) will be utilized to identify pharmaceuticals and biologics.

Security

Electronic transactions will be encrypted to protect information from disclosure. Each receiving entity of a transaction will be asked to provide information on which encryption system they are using to protect data transmissions. The Information Systems Specialist will be consulted to ensure that our agency has compatible systems to send and receive encrypted data utilizing that specific software package. The Specialist will add whatever new software is necessary to allow for communication between the agency and various other entities that we do business with. NBN Group secures e-mail messages with digital certificates. To gain access to e-mail messages that contain confidential information, the sending and receiving parties must have a relationship and access to each other's digital signed certificates. If the staff member's digital signed certificate is not included in this digital signed encrypted message they will not be able to read or gain access to this e-mail message. NBN Group's runs a server that is secured by a select physical hardware firewall/router system. All NBN Group workstations and the file server sit on our private network behind our firewall and router. Our network Server and files are secured from intruders by denying access to all unused ports on our network. NBN Group has two ports accessible externally. Our HTTPS port is accessible for users to gain access to their e-mails over the web. Administration department users also have access to an additional port to gain access to our e-mail system to run our e-mail client on their systems at home or on a laptop. Users accessing these ports must have a user name and password to gain access to these systems. Antivirus Software has kept the server and workstations clean to date with auto update and real-time virus scans of the server and workstations. The NBN Group also runs network traffic logging on our firewall system. The agency's logging system informs when intruders successfully or unsuccessfully pass through our firewall as well as when a workstation behind our network sends packets through our firewall. The system date and time, IP address, protocols and ports are all tracked when someone passes through our firewall system. The NBN Group users are prompted from our NetWare server to change their Novell and E-mail client password every 60 days. User workstations passwords change every sixty days with their NetWare accounts. All users must log into their systems each day with a user name and password, the same as if they were logging into the system remotely through our web mail client. Users with access to our server have to be granted access rights to each folder or file that they will need access to. A request is submitted with the type of access rights the user will need and approved by their supervisor, after approval the request is submitted to the MIS department. No folders or applications running on our Netware server can be accessed without permissions being placed after approval.

Our DME Software has been updated to a software version to comply with HIPAA Electronic Transaction Format and ANSI format coding standards.

NBN Group performs a full backup at the last day and first of each month. Incremental Backup sets run through out the month. The end of each month the Administration department takes the end of the month full backup tape off the premises incase of a disaster where a restore is to be performed. The NBN Group server is also protected by a system in case of a power outage we can successfully run our server or shut it down properly without losing data.

Privacy

Access and usage of PHI is restricted to the minimum amount necessary to allow for job responsibilities and is based on the specific role of the agency's staff, (see attachment Access to Patient Information by Job Description). Those staff members with access to a patient's PHI should take every care to safeguard that data from disclosure. Redundant copies of documents with patient PHI should be shredded when the purpose of the copy is completed. Office staff should use the agency's shredders by directly disposing of the document in the shredder or by placing documents in the shredder box at the end of each day. The shredder box is located next to the shredder and the contents are shredded by a designated office staff member as needed. Field staff should manually shred redundant copies of documents that contain PHI. This would include fax confirmations of items sent to the agency offices, photocopies of time slips made to allow faxing of the slip, referral data, and other documents with patient specific identifiers and PHI on them.

Faxing and e-mailing patient information into and out of office sites should be kept to a minimum and limited to circumstances where time is essential to continuity of care and to meet filing deadlines for billing and payroll. The preferred method to transmit PHI is in person or by mail. Reasonable security measures are to be followed to ensure the fax or e-mail is not misdirected or intercepted by individuals to whom access is not intended or authorized. Field staff are permitted to fax time slips into the office sites for payroll purposes. Fax machines will be located out of the view of the public in each agency office. Staff are to use a Newborn Nurses/NBN Infusions/New Behavioral Network cover sheet (see attachment) when faxing documents. This cover fax should note that the fax is confidential, intended only for the use of the individual or entity named on the cover fax, and that disclosure of the communication is strictly prohibited. Personnel are to make sure the faxed information is covered by the proper authorization and that the minimum necessary information is provided. Faxing of necessary documents is allowed with each employee accountable to implement a set of safeguards noted in this policy. The recipient of the fax should be notified before sending the fax to avoid it being unattended. The fax number should be double checked before depressing the send key. Pre-programmed fax numbers should be tested prior to sending an actual fax to ensure that the correct recipient receives the fax. When area code changes occur and the numbers need to be re-programmed the same steps should be taken to test the new number. A disclaimer is located at the foot of all e-mails to give notice of the confidential nature of the information and to restrict it to the person the e-mail is addressed to.

A situation may arise where an unfamiliar person or organization requests a patient's PHI. Agency staff must verify that the requestor has a legitimate right to that data. The patient authorization form on file should be checked to see if the requestor is authorized to get that information. The patient may also be called to see if they gave a verbal authorization, or will give permission to release the requested PHI. Document the transmittal in the patient's chart and include the fax confirmation page into the record.

Business Associates (BA) will sign an Agreement Addendum (see attachment) that specifies that they will not use or further disclose PHI other than as permitted by the contract. This Agreement also states the purpose that the BA may use or disclose PHI, limits disclosures for purposes other than those required by law, lists the information required to provide an accounting of disclosures and has a termination clause if the agency determines that the BA has violated a material term of the contract. Business Associates are expected to implement fax safeguard systems for sending and receiving information and PHI.

Compliance Plan

The President will appoint a Privacy Officer who will fulfill the duties listed in the attached job description. The Privacy Officer will work with the Risk Management Committee to identify potential risks and weaknesses in the agency security systems and breaches of confidential PHI. Breaches in the security of information are documented on a risk management form and reviewed by the Risk Management Committee. This committee will determine what steps are to be taken to mitigate the breach with the advice, as needed from legal counsel. Patients will be given the Privacy Officer's name and phone number to contact with questions and to report complaints.

Patients that are admitted onto service after April 14, 2003 will receive a Written Notice of Privacy Practices, (see attachment). This notice will also be available on the agency web page. After review of the Written Notice, the patient or the legal guardian/representative will be asked to sign a HIPAA Consent Form that acknowledges the review of the notice and gives consent to release information for listed purposes. If the agency is asked to release PHI to any other party than those listed on the notice, an authorization must be obtained from the patient or legal guardian/representative, (see attachment Authorization Form). These documents are stored with the patient's medical record for six years.

Patients requests for access to their record must be responded to within thirty (30) days. The patient, legal guardian or legal representative should request this access in writing on the Patient Request To Access/Copy Record Form, (see attachment). The agency will then arrange within thirty days for the director to meet with the patient to assist in the review process as they access their record. The director will ensure the integrity of the record. The patient may not remove the original records from the agency offices.

The patient may also request a copy of their record. There is a fee for copies of $1.00 per page, up to $100.00, and then at a rate of $0.25 per page beyond the first 100 pages. This fee must be paid in advance.

Patients may also request to amend their record. The agency allows for amendments of non-factual data or entries to be done with the approval of the Director. The patient should meet with the Director to review the proposed changes. The Director will decide if the amendments are appropriate. The agency retains the right to refuse to amend the record when it is deemed inappropriate by the Director.

Training

Initial inservice education is provided to all employees through an inservice module with a post test for field and new office staff. Staff members are expected to receive a score of 80% or better. Office staff hired prior to April 2003 have received a one hour inservice on the new procedures, forms and HIPAA Compliance policy.

Sanctions

Violations of the HIPAA regulations may result in civil and criminal penalties which will be charged against the agency that may include:

A $100 civil penalty up to a maximum of $25,000 per year for each standard violated.
A criminal penalty against the agency for knowingly disclosing PHI, a penalty that may escalate to a maximum of $250,000 for conspicuously bad offenses.

In addition violations of the HIPAA regulations may result in penalties assessed against the individual that may include:

Violations of HIPAA Compliance policy constitutes grounds for an individual to receive disciplinary action up to and including termination, disciplinary procedures and criminal prosecution. Sanctions become more severe for repeated infractions. However, the agency is not required to use a lesser sanction before terminating a staff member, independent contractor, or business associate. A position or contract may be severed in the following situations: a willful or grossly negligent breach of confidentiality; willful or grossly negligent destruction of computer equipment or data; or a knowing or grossly negligent violation of the HIPAA Act, it's implementing regulations, or any other state/federal law that protects the confidentiality and integrity of the patient's information. Willful breaches occur when a person accesses, reviews or discloses PHI for personal gain or with malicious intent. An example of this would be compiling a list of patients to sell to a drug company. A less serious breach is one where PHI is accessed, reviewed or revealed for reasons other than personal gain or with malicious intent, but there is no legitimate need-to-know. An example would be where a neighbor's record is reviewed out of curiosity or concern.