Enterprise Risk ManagementEnterprise risk management (ERM) in healthcare promotes a
comprehensive framework for making risk management decisions
which maximize value protection and creation by managing risk and
uncertainty and their connections to total value.
ERM Framework
ERM Domains
Operational
Clinical/Patient Safety
Strategic
Financial
Guiding Principles
The following guiding principles in concert with ASHRM’s mission
and vision have been developed as basic building blocks supporting
the framework for ERM in healthcare:
Advance safe and trusted healthcare
Human Capital
Manage uncertainty
Maximize value protection and creation
Encourage multidisciplinary accountability
Legal/ Regulatory
Optimize organizational readiness
Promote positive organizational culture which will impact
readiness and success
Utilize data/metrics to prioritize risks
Align risk appetite and strategy
Technology
ERM Practices:
1. Are continuous
2. Require a paradigm shift in how an organization identifies and
manages risks and opportunities
Hazard
3. Are “not a stop on the road, but a journey”
© ASHRM 2016
ERM Risk Domains
Domain
Description/Example
Operational
The business of healthcare is the delivery of care that is safe, timely, effective, efficient, and
patient-centered within diverse populations. Operational risks relate to those risks resulting
from inadequate or failed internal processes, people, or systems that affect business
operations. Included are risks related to: adverse event management, credentialing and
staffing, documentation, chain of command, and deviation from practice.
Clinical/Patient
Safety
Risks associated with the delivery of care to residents, patients and other healthcare
customers. Clinical risks include: failure to follow evidence based practice, medication
errors, hospital acquired conditions (HAC), serious safety events (SSE), and others.
Strategic
Risks associated with the focus and direction of the organization. Because the rapid
pace of change can create unpredictability, risks included within the strategic domain
are associated with brand, reputation, competition, failure to adapt to changing times,
health reform or customer priorities. Managed care relationships/partnerships, conflict
of interest, marketing and sales, media relations, mergers, acquisitions, divestitures,
joint ventures, affiliations and other business arrangements, contract administration, and
advertising are other areas generally considered as potential strategic risks.
Financial
Decisions that affect the financial sustainability of the organization, access to capital or
external financial ratings through business relationships or the timing and recognition
of revenue and expenses make up this domain. Risks might include: costs associated
with malpractice, litigation, and insurance, capital structure, credit and interest rate
fluctuations, foreign exchange, growth in programs and facilities, capital equipment,
corporate compliance (fraud and abuse), accounts receivable, days of cash on hand,
capitation contracts, billing and collection.
Human Capital
This domain refers to the organization’s workforce. This is an important issue in today’s
tight labor and economic markets. Included are risks associated with employee selection,
retention, turnover, staffing, absenteeism, on-the-job work-related injuries (workers’
compensation), work schedules and fatigue, productivity and compensation. Human capital
associated risks may cover recruitment, retention, and termination of members of the
medical and allied health staff.
Legal/Regulatory
Risk within this domain incorporates the failure to identify, manage and monitor legal,
regulatory, and statutory mandates on a local, state and federal level. Such risks are
generally associated with fraud and abuse, licensure, accreditation, product liability,
management liability, Centers for Medicare and Medicaid Services (CMS) Conditions
of Participation (CoPs) and Conditions for Coverage (CfC), as well as issues related to
intellectual property.
Technology
This domain covers machines, hardware, equipment, devices and tools, but can also
include techniques, systems and methods of organization. Healthcare has seen an
explosion in the use of technology for clinical diagnosis and treatment, training and
education, information storage and retrieval, and asset preservation. Examples also include
Risk Management Information Systems (RMIS), Electronic Health Records (EHR) and
Meaningful Use, social networking and cyber liability.
Hazard
This ERM domain covers assets and their value. Traditionally, insurable hazard risk has
related to natural exposure and business interruption. Specific risks can also include
risk related to: facility management, plant age, parking (lighting, location, and security),
valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires.
Risk Management in Healthcare
Brief Overview
What is Risk and Risk Management
Domains of Risk and Examples of Healthcare Risks
Steps in Risk Management
Risk Identification
Risk Evaluation
Implementing Strategies to Reduce Risk
Healthcare Laws, Regulations, and Programs
What is a Risk?
“Probability or threat of damage,
injury, liability, loss, or any other
negative occurrence that is caused by
external or internal vulnerabilities, and
that may be avoided through
preemptive action.”
Source: http://www.businessdictionary.com/definition/risk.html
What is Risk Management?
“The discipline by which an organization
identifies, assesses, controls, measures and
monitors various risks and opportunities for the
purpose of achieving the entity’s strategic and
financial objectives”
Source: https://www.soa.org/globalassets/assets/Files/Newsroom/news-erm-fact-sheet.pdf
Risk Assessments help answer the following questions:
What can go
wrong?
Is there a need
for action?
How can it go
wrong?
Why does it go
wrong?
Who does it
affect?
How often does it
go wrong? What
is the extent?
Source: http://www.dbhds.virginia.gov/library/quality%20risk%20management/qrm-a%20simple%20approach%20to%20risk%20assessment.pdf
Identify
What? How?
Steps in Risk
Assessment
Review/
Evaluate/
Monitor
Program
Risk
Management
Is it
working?
Evaluate
Why? How
often? Who?
Action
Needed?
Develop
and
Implement
Strategies
Risk
Identification
Why is it important for organizations
to identify issues?
What must organizations do to identify
issues within their system?
Surface
Reality
Methods of Risk Identification
1. Brainstorm
2. SWOT Analysis
3. Eight Risk Domains
4. Root Cause Analysis (RCA)
Source : https://www.ashrm.org/sites/default/files/ashrm/ERM-White-Paper-8-29-14-FINAL.pdf
Brainstorm
• Gather information – Interviews, staff/departmental meetings,
surveys or review quality reports to identify problem areas
• Create a list – List out what issues the organization is facing
SWOT Analysis
• Identifying Strengths,
Weaknesses, Opportunities
and Threats.
• To Remember:
• Strengths and Weaknesses are
usually internal to the organization.
• Opportunities and Threats are
usually external to the organization.
Strengths
Weaknesses
SWOT
Opportunities
Threats
Eight Risk Domains
in
Risk Management
Eight Risk Domains
Can you think of risk examples in
healthcare for each of these
domains?
Root Cause Analysis
The dictionary defines “root cause”
as the fundamental cause, basis, or
essence of something, or the source
from which something derives.
Root cause analysis is a systematic
process for identifying “root causes”
of problems or events and an
approach for responding to them.
Source: https://www.thehealthcompass.org/how-to-guides/how-conduct-root-cause-analysis
Goals of the Root Cause Analysis (RCA) is to identify:
1
2
3
4
• What happened?
• Why it happened?
• How it happened?
• Actions to prevent reoccurrence of problems
Source: https://www.thehealthcompass.org/how-to-guides/how-conduct-root-cause-analysis
Steps to Identify Root Causes
1
2
3
4
5
6
• Define the problem.
• Gather information, data and evidence.
• Identify all issues and events that contributed to the problem.
• Determine root causes.
• Identify recommendations for eliminating or mitigating the reoccurrence of problems
or events.
• Implement the identified solutions
Source: https://www.thehealthcompass.org/how-to-guides/how-conduct-root-cause-analysis
Root Causes Analysis Methods
Fault Tree
Analysis
Five Whys
Tool
Pareto
Analysis
Fishbone
Diagrams
Fault Tree Analysis
• Refer to Video:
https://www.youtube.com/watch?v=aVfMsPOKr
ak
• We will not be using this tool in class and will
not be covering this tool in depth. However, it is
important for you to know what it is and what it
looks like.
• Refer to the image on the right for an example
of what a fault tree analysis looks like:
Source: http://asq.org/quality-progress/2002/03/problem-solving/what-is-a-fault-tree-analysis.html
The Five Whys Method
The Five Whys is a
simple problemsolving technique
that helps to get to
the root of a problem
quickly.
Five Whys strategy
involves looking at
any problem and
drilling down by
asking: “Why?” or
“What caused this
problem?”
The goal of this tool is
to prompt another
“Why” till you get to
the root of the
problem.
Source: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/QAPI/downloads/FiveWhys.pdf
Example of the Five Whys Method (CMS)
Problem statement – your car gets a flat tire on your way to work.
1. Why did you get a flat tire?
• You ran over nails in your garage
2. Why were there nails on the garage floor?
• The box of nails on the shelf was wet; the box fell apart and
nails fell from the box onto the floor.
3. Why was the box of nails wet?
• There was a leak in the roof and it rained hard last night.
Source: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/QAPI/downloads/FiveWhys.pdf
Pareto Analysis
• Is a useful technique for prioritizing problem-solving work, so that the first
piece of work you tackle simultaneously resolves the greatest number of
problems.
• Refer to video: The Pareto Principle
20% Effort
Source: http://www.free-management-ebooks.com/news/pareto-analysis/
80%
Results
Steps to do a Pareto Analysis
1
2
3
4
5
• List problem areas
• Identify root cause for each problem
• Score each problem in terms of importance
• Group those with same root cause
• Fix problems with highest score
Source: http://www.free-management-ebooks.com/news/pareto-analysis/
Fishbone Diagrams
1
2
3
4
• Also known as a cause and effect analysis/ Ishikawa diagram
• Ideal problem solving tool for management
• Helps managers and leaders brainstorm root causes to issues
• Provides a clear visual by grouping organizational issues into
categories
Source: https://www.cms.gov/medicare/provider-enrollment-and-certification/qapi/downloads/fishbonerevised.pdf
Fishbone Diagram Example (CMS)
Source: https://www.cms.gov/medicare/provider-enrollment-and-certification/qapi/downloads/fishbonerevised.pdf
Risk Evaluation
What to look for when evaluating risks:
1
2
3
• Look for repetitions and group them. Have similar risks been
brought up before by multiple units?
• Look for risks that are cost-effective and easy to implement
• Look for risks that already have solutions and strategies in place
and make sure that the ones in place actually WORK.
Source : https://www.ashrm.org/sites/default/files/ashrm/ERM-White-Paper-8-29-14-FINAL.pdf
Risk Score
– Not an exact measure. However, it is still helpful to sort and organize risks.
– Tool used by managers and administrators to gain a better understanding
of the organization’s risk.
– Doing this allows them to better understand which risks need to be
prioritized.
– “A Likert scale ranking of one (1) to five (5) is most often used. With 1
being the lowest, least likely to occur, or least impactful. Using the range of
1 to 5 for both dimensions the highest ranking is 25.”
Sources : https://www.ashrm.org/sites/default/files/ashrm/ERM-White-Paper-8-29-14-FINAL.pd
http://www.dbhds.virginia.gov/library/quality%20risk%20management/qrm-a%20simple%20approach%20to%20risk%20assessment.pdf
Risk Score Formula
– “Likelihood also referred to as frequency or probability, refers to the number
of times an adverse event or occurrence (a risk) will happen. This dimension
is expressed in terms of a number or ratio. “
– “Impact also referred to as severity, refers to the anticipated outcome of the
risk if it occurs. Impact is most often referenced in financial terms (dollars $)
and can also be referred to as “vulnerability”, “consequences”. “
Likelihood
X
Impact
Source : https://www.ashrm.org/sites/default/files/ashrm/ERM-White-Paper-8-29-14-FINAL.pdf
=
Risk Score
Risk Map
– Also known as risk matrix or heat map
– Can also be referred to as a heat map
due to the colors that are used.
– X axis is the likelihood.
– Y axis is the impact.
Source : https://www.ashrm.org/sites/default/files/ashrm/ERM-White-Paper-8-29-14-FINAL.pdf
Risk Map
Low Risk (Green)
• Are usually Quick and easy actions. The can be implemented immediately.
Moderate Risk (Yellow)
• Actions are usually implemented as soon as possible but no later than next 60 – 90 days.
High Risk (Orange)
• Actions are usually implemented as soon as possible but no later than 30 days.
Extreme Risk (Red)
• Requires urgent action. Immediate corrective action needed.
Source: http://www.dbhds.virginia.gov/library/quality%20risk%20management/qrm-a%20simple%20approach%20to%20risk%20assessment.pdf
Implementation
Strategies to
Reduce Risk
Implementation Strategies to Reduce Risk
– Review this website for examples
and definitions of each of these
implementation strategies: Risk
Management Strategies
Source: https://www.theamateurfinancier.com/blog/risk-management-
Low Likelihood
High Likelihood
Low Impact
Retain
Reduce
High Impact
Transfer
Avoid
Healthcare Laws,
Regulations, Programs
and Organizations
Joint Commission on Accreditation of Healthcare
Organization (JCAHO)
– Founded in 1951
– Independent, non-profit organization
– It is an accrediting body that aims to maintain the highest standards in
healthcare organizations and improve their process and performance.
– Consists of surveyors (including doctors, nurses and other healthcare
workers) who are trained to inspect and survey various healthcare
facilities.
– They look to see if the healthcare organization is maintaining and
following proper protocol in safety and quality.
– In order for an organization to be accredited, they must pass the on-site
survey that is conducted every 3 years. For clinical laboratories, the onsite survey is conducted every 2 years.
– As of 2018, 77% of the nation’s hospitals have been accredited by JCAHO.
Source: https://www.jointcommission.org/
Sentinel Event (JCAHO)
A sentinel event is a patient safety event (not
primarily related to the natural course of the
patient’s illness or underlying condition) that
reaches a patient and results in any of the following:
• Death
• Permanent harm
• Severe temporary harm
Source: https://www.jointcommission.org/
Goals of the Sentinel Event Policy (JCAHO)
1. To have a positive impact in improving patient care, treatment,
and services and in preventing unintended harm
2. To focus the attention of a hospital that has experienced a
sentinel event on understanding the factors that contributed to
the event (such as underlying causes, latent conditions and
active failures in defense systems, or hospital culture), and on
changing the hospital’s culture, systems, and processes to
reduce the probability of such an event in the future
3. To increase the general knowledge about patient safety events,
their contributing factors, and strategies for prevention
4. To maintain the confidence of the public, clinicians, and
hospitals that patient safety is a priority in accredited hospitals
Source: https://www.jointcommission.org/
Centers for Medicare and Medicaid Services (CMS)
– “The Centers for Medicare & Medicaid Services (CMS) is part of the
Department of Health and Human Services (HHS). CMS administers programs
including: Medicare, Medicaid, the Children’s Health Insurance Program
(CHIP), and the Health Insurance Marketplace” (CDS, 2020).
– They service over 100 million people.
– Their goal is to provide high-quality care that is affordable.
– CMS requires healthcare organizations to have proper risk management and
assessment techniques in place. Especially with CMS sensitive material.
– Patient Safety Example: If hospital has a high rate of hospital-acquired
infections compared to 75% of hospitals in the nation, CMS will provide less
reimbursement to this hospital.
– Fact: The Hospital Acquired Condition Program was developed with the aim
to improve patient’s health and quality of care. With this program, Medicare
saves about $350 million per year.
Sources: https://cds.ahrq.gov/cdsconnect/org/centers-medicare-and-medicaid-services, https://www.usa.gov/federal-agencies/centers-for-medicare-and-medicaid-services,
https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH-Chapter-14-Risk-Assessment.pdf
Occupational Safety and Health Administration (OSHA)
– Signed by President Nixon in 1970.
– Was created by Congress to ensure proper and safe
working conditions for workers.
– These are enforced through training, education,
resources, and outreach.
– Through this program and its efforts, deaths and injuries
to workers have significantly decreased by over 65%.
– Workplace injuries and deaths cost American employers
over $59 billion every year (Worker’s Comp).
Sources: https://www.osha.gov/aboutosha
https://www.osha.gov/Publications/all_about_OSHA.pdf
Emergency Medical Treatment and Labor Act (EMTALA)
– Enacted in 1986 by Congress.
– This Act ensures that the public is ensured access to care
and treatment in an emergency regardless of their ability
to pay for the services provided or status of insurance.
– All hospitals with an Emergency Department are
required to follow the policies under EMTALA.
– Hospitals could receive up to a $50,000 penalty for
refusing or not providing service to a patient.
– For hospitals with less than 100 beds, a penalty of
$25,000 can be imposed.
Source: https://www.cms.gov/Regulations-and-Guidance/Legislation/EMTALA/index
https://www.acep.org/life-as-a-physician/ethics–legal/emtala/emtala-fact-sheet/
References
http://www.free-management-ebooks.com/news/six-step-problem-solving-model/
https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/QAPI/downloads/FiveWhys.pdf
http://www.free-management-ebooks.com/news/cause-and-effect-analysis/
http://www.free-management-ebooks.com/news/cause-and-effect-analysis/
https://conceptdraw.com/a2300c3/preview
https://onlinelibrary.wiley.com/doi/pdf/10.1002/9781118364727.ch29
7 Steps to a Fishbone Diagram and to Identifying Those Causes
https://www.cms.gov/medicare/provider-enrollment-and-certification/qapi/downloads/fishbonerevised.pdf
http://www.ihi.org/education/IHIOpenSchool/resources/Pages/Activities/AHRQCaseStudyCodeBlue.aspx
http://app.ihi.org/LMS/Content/515875cb-65a5-4f20-911d-3e5aeefeaa4f/Upload/Case%20study.pdf
http://www.businessinsider.com/nine-steps-to-effective-business-problem-solving-2011-7
https://executiveeducation.wharton.upenn.edu/thought-leadership/wharton-at-work/2015/06/identify-the-real-problem
https://www.thehealthcompass.org/how-to-guides/how-conduct-root-cause-analysis
https://des.wa.gov/services/risk-management/about-risk-management/enterprise-risk-management/root-cause-analysis
https://www.cms.gov/Regulations-and-Guidance/Legislation/EMTALA/index
https://www.acep.org/life-as-a-physician/ethics–legal/emtala/emtala-fact-sheet/
https://www.osha.gov/aboutosha
https://www.osha.gov/Publications/all_about_OSHA.pdf
https://cds.ahrq.gov/cdsconnect/org/centers-medicare-and-medicaid-services
https://www.usa.gov/federal-agencies/centers-for-medicare-and-medicaid-services,
https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH-Chapter-14-Risk-Assessment.pdf
https://www.jointcommission.org/
https://www.theamateurfinancier.com/blog/risk-management-strategies
http://www.dbhds.virginia.gov/library/quality%20risk%20management/qrm-a%20simple%20approach%20to%20risk%20assessment.pdf
https://www.ashrm.org/sites/default/files/ashrm/ERM-White-Paper-8-29-14-FINAL.pdf
https://www.cms.gov/medicare/provider-enrollment-and-certification/qapi/downloads/fishbonerevised.pdf
https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/QAPI/downloads/FiveWhys.pdf
http://asq.org/quality-progress/2002/03/problem-solving/what-is-a-fault-tree-analysis.html
https://www.soa.org/globalassets/assets/Files/Newsroom/news-erm-fact-sheet.pdf
http://www.businessdictionary.com/definition/risk.html
https://www.jointcommissioninternational.org/-/media/jci/idev-imports/sentinel_event_policy1.pdf?db=web&hash=36C66D8155F4FD9AEEF0E22392019284
Corporate Compliance
In Healthcare
What Is Corporate Compliance?
◦ A way for a company to
ensure that it is following the
laws and regulations that
apply to the goods and
services that its supplying.
What types of Organizations have a
compliance program?
• Home Healthcare
• Physician Group Medical Practices
• Hospitals
• Hospice
• Inpatient Rehab
• And more
Corporate Compliance & the Essential Elements of a
compliance program
Leadership
• Senior leadership is committed to compliance and sets the tone for the organization
Risk Assessment
• Designed to provide a big picture of your overall compliance program and helps you identify areas of high risks and conducted
annually. Ongoing process to help mitigate any risk that are a threat to your organization.
Standards and Controls
• Develop programs to set boundaries within the organization.
• Code of Conduct
• Policies and Procedures
• Operate on Best Practices
Training and Communication
• Annual training program administered to staff annually
Oversight
• Also question whether or not staff are following the compliance program.
• Monitoring- identifies gaps and is a commitment
• Auditing- targets a specific business component for review
You think a violation has occurred.
You ask yourself “What do I do”
As a healthcare worker:
◦ Know the following:
◦ Where to find the organizations policies and
procedures
◦ Healthcare Laws that protect Fraud and
Abuse
◦ Your Risk Manager, Ethics & Compliance
Officer, & Privacy Officer
◦ How to file a complaint by using the
Compliance Hotline which makes you
anonymous or contact one of the above
officials
Office of the Inspector General
OIG
Office of Inspector General (OIG)
Who is the Office of Inspector General?
◦ Federal program for Fraud and Abuse
◦ Mission: To protect the integrity of HHS programs as well as the health and welfare of program
beneficiaries (OIG, 2020)
Established in 1976
Forefront of the US’s efforts to fight waste, fraud, and abuse in Medicare, Medicaid
and HHS programs
What is HHS?
◦ Federal program that fosters advances in medicine, public health, and social services.
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
Office of Inspector General (OIG)
Conducts audits, investigations, evaluations and policy recommendations for decision makers
and the public.
OIG develops and distributes resources to assist the health care industry in its efforts to comply
with the Nation’s fraud and abuse laws and to educate the public about fraudulent schemes so
they can protect themselves and report suspicious activities.
Fraud increases the cost of healthcare and can harm Medicare and Medicaid patients.
Visit the website: https://oig.hhs.gov/
Fraud and Abuse – 3 Components
False Claim
Act
Stark Law
Anti-Kickback
Statute
Fraud and Abuse
Anti-Kickback Law
Anti-Kickback Statute
The AKS is a criminal law that prohibits the knowing and willful payment of “remuneration” to convince or
reward patient referrals or generation of business involving any item or service payable by the Federal health
care programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients).
◦ Remuneration- statute defines as anything of value
◦ It is illegal to submit claims for payment to Medicare or Medicaid that you know or should
know are false or fraudulent.
A Physician can be an attractive target for kickback schemes because of the referrals generated from healthcare
providers and suppliers.
◦ What are referrals? Student discussion in class
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
Anti-Kickback Law
Kickbacks in health care can lead to:
◦ Overutilization- using more resources than necessary
◦ Increased program costs (Medicare & Medicaid)
◦ Corruption of medical decision making
◦ Patient steering- offering lower payments for services
◦ Unfair competition
◦ Anti-Kickback Law- prohibits payment for referrals
◦ Penalty- $25K per violation
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
Stark Law
What is Stark Law?
The Stark Laws refers to a practice or a physician
referring patients to a medical facility in which the
physician has a financial interest, whether ownership or
other type of investment.
Physician Self Referral
Prohibits a physician from making referrals for certain designated health services (DHS) payable
by Medicare where there is a financial relationship (ownership, investment, or compensation),
unless an exception applies.
Prohibits the entity from processing claims for those referred services.
Establishes specific exceptions and grants the Secretary authority to create regulatory
exceptions for financial relationships that do not pose a risk or patient abuse.
Designated Health Services (DHS)
The following items or services are DHS:
◦ Clinical laboratory services.
◦ Physical therapy services.
◦ Occupational therapy services.
◦ Outpatient speech-language pathology services.
◦ Radiology and certain other imaging services.
◦ Radiation therapy services and supplies.
◦ Durable medical equipment and supplies.
◦ Parenteral and enteral nutrients, equipment, and supplies.
◦ Prosthetics, orthotics, and prosthetic devices and supplies.
◦ Home health services.
◦ Outpatient prescription drugs.
◦ Inpatient and outpatient hospital services.
OIG, 2020
Healthcare Quality Improvement Act
Developed in 1986
Protects the public from incompetent physicians
Requires the Board of Medical Examiners to report professional competence or conduct to the
Secretary.
Requires hospitals to request information from the Secretary about providers regarding staff
physicians and health care practitioners
◦ Want to Read more about these Laws?
◦ Visit http://www.hcqia.net/ or NAMMS https://www.namss.org/
Medical Identity Theft
Medical Identity Theft
◦ Medical Identity Theft
◦ Red Flag Rules- Registration, financial assistance, and business office will be mostly affected
◦ Background- the federal trade commission adopted the red flag rules to urge creditors to protect sensitive customer information,
watch for the red flags and respond quickly and claims of identity theft.
◦ What is Identity Theft? It is fraud
◦ Medical Identity is a growing problem and can include SSN, account numbers and other personal information.
◦ Riskiest time for identity theft- when a new patient account is opened
◦ Visit IdentityTheft.gov to report identity theft
◦ Federal Trade Commission
◦ Collaborate with law enforcement across the country and around the world to advance consumer protection and competition
missions.
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
Identity Theft
◦ New requirements for registration
◦ Patients provide a photo ID
◦ Proof of address
◦ Exceptions- Not in ED due to EMTALA
◦ How to help prevent identity theft?
◦ Insurance card appears altered
◦ Photo on license does not look like patient
◦ Signature on driver’s license does not match patients signature on consents
◦ Demographic information does not match
◦ What to do if you discover a Red Flag?
◦ Notify supervisor
◦ If supervisor is not available, contact Risk Management or Compliance officer
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
HIPAA of 1996
Privacy and Security
HIPAA
Health Insurance Portability and Accountability Act of 1996. HIPAA is a response, by Congress,
to healthcare reform and is a federal law that is mandatory. Protects the privacy and security of
a patient’s health information.
Provides for electronic and physical security of a patient’s health information.
Prevents health care fraud and abuse.
Simplifies billing and other transactions, reducing health care administrative costs.
Privacy
◦ Minimum Necessary- What type of information am I about to share; It’s a need to know
◦ Covered Entity- Health plans, healthcare clearing houses, healthcare providers, business associate
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
HIPAA Cont’d
◦ Security- Organizations should conduct both risk analysis and risk management
procedures and provides a baseline for detecting risk and mitigating breeches.
◦ Risk analysis- when you look for vulnerabilities of confidential health information
◦ Risk management- This requires an organization to make decisions and address the security risk
and vulnerabilities and implement policies, procedures, and programs to comply with
compliance programs
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
HIPAA: Security Standards
Administrative
• Administrative Action
• Policies and Procedures
Technical
• Access controls
• Audit Controls
• Integrity
• Person or Entity
• Authentication
• Transmission Security
Physical
• Facility Access
• Workstation Use
• Workstation Security
• Device and Media Controls
HIPAA
What is PHI? Protected health information
What is EPHI? Electronic health Information
What is an EMR? An electronic medical record
How does HIPAA affect my job?
Do you handle PHI?
If yes, than it’s your job to protect that information.
Health Information Technology for Economic and Clinical
Health Act (HITECH)
– Signed into law by President Obama in 2009.
– Under HIPAA, there were a few grey areas that needed
to fixed. The purpose of HITECH was to eliminate these
grey areas.
– Goal is to promote the use of healthcare technology and
to encourage use of Electronic Health Records (EHR).
– As of 2008, only 10% of physicians had adopted an EHR
system. By 2017, 86% of physicians and 77% of hospitals
adopted an EHR system.
– It provided incentives to providers and healthcare
organizations for proper EMR use. Ex: Meaningful Use.
Source: https://www.hipaajournal.com/what-is-the-hitech-act/
Who can I talk to within the Healthcare
Organization about Privacy and Security
◦ Chief Privacy Official (CPO)- responsible for privacy program implementation, facilitate training and
education, assess compliance, and evaluate complaints and potential breaches.
◦ Facility Information Security Official (FISO)- They are responsible for leading, driving, and helping
facility workforce members appropriately comply with the company’s IPS requirements.
◦ Health Information Management Director (HIM)- Ensure compliance with state and federal laws
and standards related to privacy, security, and record completion
◦ Director of Information Security (IT & S)- lead and direct activities of the Information Technology
department and partner with business partners to deliver technology services that are aligned with
business needs.
◦ Ethics and Compliance Officer- Assist the organization in achieving responsible and effective
corporate (risk management) and compliance programs
WhistleBlower
What is a Whistleblower?
Whistle blower- is someone who reports waste, fraud, abuse, or dangers to public
health and or the safety of others. The individual that is being reported is in question
or position to correct the wrongdoing.
◦ Whistleblower laws are enforced by Occupational Safety and Health Administration
(OSHA)
◦ There are more than 20 whistleblower statutes
◦ Protection from workplace retaliation means that an employer cannot take an
“adverse action” against workers
Whistleblower
What is Retaliation?
◦ Retaliation is when an employer fires an employee or punishes
them in some way as a way to get back at them for blowing the
whistle.
◦ Types of Retaliation:
◦ Firing or Laying Off
◦ Demoting
◦ Threats
◦ Reducing hours or Pay
Whistleblowing in Healthcare
WHAT TO LOOK FOR?
WHAT TO DO IF YOU BELIEVE YOU HAVE
WHISTLEBLOWER INFORMATION?
Provider billing fraud
Consider internal reporting
Illegal referral fees or kickback schemes
Preserve evidence
Drug manufacturer/medical device fraud
Determine deadlines
Consult with a professional
How to File A Complaint
Online – Use the Online Whistleblower Complaint Form to submit your
complaint to OSHA. Complaints received online from workers located in
states with OSHA-approved state plans will be forwarded to the appropriate
state plan for response.
Download and Fax/Mail – Download the Notice of Whistleblower Complaint
Form (OSHA 8-60.1) PDF*, 306 Kb, complete it, and then fax or mail it back
to your local OSHA Regional or Area Office.
Telephone – Call your local OSHA Regional or Area Office. OSHA staff can
discuss your complaint with you and respond to any questions you may
have.
Letter – You may also send a letter describing your complaint to your local
OSHA Regional or Area Office. Please include your name, address and
telephone number so we can contact you to follow up.
(US DEPARTMENT OF LABOR, 2016)
Conclusions
Compliance efforts are meant to establish a culture that promotes
prevention, detection, and resolution of conduct that does not conform
to federal and state laws.
Compliance Programs should be an ongoing process to stay up to date
with security threats.
Be a responsible healthcare worker!
References
Brownstein, J., & Little, K. (2016, April 8). Primer on Whistleblowing in Healthcare. Retrieved from http://bnlawatlanta.com/wpcontent/uploads/2014/05/Healthcare-Whistleblowing-April-14.pdf
DHS. (2016, April 9). Fraud and Abuse. Retrieved from https://www.cms.gov/Outreach-and-Education/Medicare-Learning-NetworkMLN/MLNProducts/downloads/Fraud_and_Abuse.pdf
Fox, T. R. (2013, May 23). What Are the Essential Elements of a Corporate Compliance Program? Retrieved from
https://www.lexisnexis.com/legalnewsroom/corporate/b/fcpa-compliance/posts/what-are-the-essential-elements-of-a-corporatecompliance-program
Lecture. (2016, April 9). Retrieved from https://courses.css.edu/bbcswebdav/pid-1355072-dt-content-rid-15279269_1/courses/201660HIM6545-701-16SP-61400-M/201660-HIM6545-701-16SP-61400-M_ImportedContent_20160313050439/201590-HIM6545-700-15SU70289-M_ImportedContent_20150530053529/Unit%201/Physician%20Self-Referral%20Law%20-%20Lecture.pdf
National Nurses United. (2016, April 9). Whistleblower Protection Laws for Healthcare Workers | National Nurses United. Retrieved from
http://www.nationalnursesunited.org/pages/whistleblower-protection-laws-for-healthcare-workers
OIG. (2016, April 9). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. Retrieved from
http://oig.hhs.gov/compliance/provider-compliance-training/files/starkandAKSChartHandout508.pdf
US Department of Labor. (2016, April 9). Whistleblower Protection Program | File A Complaint. Retrieved from
http://www.whistleblowers.gov/complaint_page.html
HIPAA Privacy & Security Basics
1
Course Objectives
✓ Understand the fundamentals of the HIPAA
✓ Recognize Protected Health Information (PHI)
✓ Learn who is subject to HIPAA
✓ Identify business associate relationships
✓ Review the Privacy, Security, and Breach Notification
Rules
✓ Learn how you may access, use and disclose PHI
✓ Understand the minimum necessary standard
✓ Review patients’ health information rights
2
Health Insurance Portability and
Accountability Act of 1996
HIPAA was enacted with the following goals:
• Improve portability and continuity of health insurance coverage;
• Combat fraud and abuse;
• Control administrative costs of health care;
• Improve the effectiveness of the health care system; and
• Define patients’ privacy rights and mandate national standards for
securing electronic health records
3
What information is protected by HIPAA?
Protected Health Information or PHI
➢ Any information created or received by a health care
provider, health plan, or health care clearinghouse; and
➢ Relates to the patient’s (living or deceased) past,
present, or future physical or mental health or
condition, including health care services provided and
payment for those services; and
➢ Identifies the patient or there is a reasonable basis to
believe the information can be used to identify the
individual.
4
What is Protected Health Information (PHI)?
Identifiers associated with information related to the past, present, or future of the
payment, provision of health care physical or mental condition of an individual:
1.
Names
9.
2.
Geographic subdivisions smaller than a state,
including street address, city, county, precinct, ZIP
code and equivalent geocodes, except for the
initial three digits of a ZIP code
10. Account numbers
3.
All elements of dates (except year) for dates
directly related to an individual, including birth date,
admission date, discharge date, date of death, and
all ages over 89
Health plan beneficiary numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers including
license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locator (URL)
15. Biometric identifiers, including finger or voice prints
4.
Telephone numbers
5.
Fax numbers
6.
Electronic mail addresses
17. Internet protocol5 address numbers
7.
Social security numbers
18. AND FINALLY, any other unique identifying number
8.
Medical record numbers
16. Full face photographic images and any
comparable images
characteristic or code
How to Recognize PHI
PHI = Individual Identifiers + Health Data
Some PHI examples are:
Patient names + clinical research data
Medical record number + lab, pathology and/or radiology results
Insurance account number + billing statement
Social security number + diagnosis/condition
Appointment date + dental casts
Patient initials + MRI or CT scans
Patient phone number + shadow records
Identifiable facial image + medical procedure presentation
6
Medical device identifier + instructional video
PHI Exists in Many Formats
Printed/Paper
Verbal
Electronic
It is the responsibility of every workforce
member including students to protect the
privacy and security of PHI in ALL formats.7
Examples of Information that is Not PHI
Newspaper Articles
Medical Textbooks
Purchase Orders
Individually Identifiable Health
Information regarding a person who
has been deceased for more than
50 years
Student Educational Records
covered under Family Educational
Rights and Privacy Act (FERPA)
De-identified health information
Employment records held by an
employer
– sick leave requests
– drug screenings as condition
of employment
– fitness for entry exams
– disability insurance forms
– payroll /financial records
which are covered under
Georgia Personal Identity
Protection 8Act (GPIPA)
Where does PHI Exist?
PHI in any format may be found in:
–
–
–
–
–
–
–
–
–
Medical, Clinical Research, Shadow Records
Quality Assurance Databases
Photographs, Videos, Radiographs, CT Scans, Ultrasounds
Instructional Media
Billing and Insurance Records
Patient Appointment Schedules
Faxes, Emails, and Texts
Conversations, Dictations, Audiotapes
Computers, Printers, Copiers, Fax Machines, Laptops,
Tablets, Smart Phones, Thumb drives, etc.
9
Does HIPAA apply to all Health
Information/Data?
No, HIPAA regulations are limited only to PHI.
When all identifiers are removed from the health data, it is
referred to as de-identified and is no longer considered
PHI; therefore, no longer governed under HIPAA.
Also, remember student educational records are protected
by Family Educational Rights and Privacy Act (FERPA)
and payroll and personal financial records are protected
by Georgia Personal Identity Protection Act (GPIPA)
10
Who is subject to HIPAA?
Attorneys
Health Plan
Third-Party
Administrators
& Health
Record
Vendors
Covered
Entities
Health Care
Clearing
House
Health Care
Provider
Accountants
Business
Associates
Consultants
Auditors
11
Entities or individuals providing services
involving the use or disclosure of PHI
Entities or individuals providing services
for or on behalf of Covered Entities
involving the use or disclosure of PHI
Covered Entities Must Comply
❖ A ‘covered entity’ is any person or organization in the normal
course of business that: provides health care; bills for health
care; or is paid for health care services.
❖ AU Health and members of our organized health care
arrangement are considered a covered entity.
❖ Workforce and selected others within our covered entities
and organized healthcare arrangement are responsible for
HIPAA compliance.
This means you!
12
Business Associates Must Also Comply
A business associate is an individual or entity (vendor or contractor) who
performs or assists in the performance of a function or activity where the
vendor accesses, maintains, uses, or discloses of PHI on behalf of a
covered entity.
A business associate is not a member of the covered entity’s workforce.
13
Examples of Business Associates
• Attorney engaged by covered entity to defend
a lawsuit if that attorney will have access to
PHI
• An independent transcriptionist that
transcribes physician notes
• An accounting firm that provides financial
services to a covered entity and will have
access to patient billing systems
• A consultant that will provide utilization
reviews to a covered entity
14
Business Associate Agreements
• Business associate relationships require a document called a business
associate agreement (BAA)
• The BAA should accompany service and purchase
agreements/contracts
• BAAs should be vetted by Legal Affairs and the Privacy Office
15
HIPAA Basics
Privacy
Rule
Security
Rule
Breach
Notification
Rule
What must be
protected
How to protect it
Managing
unsecure PHI
16
HIPAA Privacy Rule
17
The
Privacy
Rule
What must be
protected
• The purpose of the Privacy Rule is to define
and limit the circumstances in which an
individual’s protected health information may be
used or disclosed by covered entities.
• A covered entity can only use or disclose
protected health information as permitted by
the Privacy Rule or authorized by the individual
in writing.
• Affords individuals rights over their health
information
18
Use versus Disclosure of PHI
PHI is used when it is:
PHI is disclosed when it is:
• Shared internally
• Released outside of
covered entity
• Examined internally
• Applied internally
• Analyzed internally
• Transferred outside of
covered entity
• Accessed outside of
covered entity
19
How Can We Use or Disclose PHI?
We may use or disclose PHI in the following circumstances:
– For treatment, payment, and healthcare operations (such
as instruction, peer review, quality assurance, accreditation,
compliance, etc.)
– With an authorization from the patient or their personal
representative
– In limited circumstances, without an authorization if the patient
is provided an opportunity to agree or object
– Other circumstances (IRB waiver for research, public health
reporting, as required by law) may permit use or disclosure
20
Examples of Uses and Disclosures for
Treatment, Payment and Health Care Operations
Treatment:
– The patient’s referring physician contacts a specialist and requests a
copy of the patient’s exam results for treatment purposes
Payment:
– A patient’s insurance company contacts the patient’s primary care
physician and requests a copy of the patient’s medical record for a
specific service date
Health Care Operations:
– The Privacy Office conducts an access audit of a patient’s
record
21
Authorization is Not Required for
Treatment, Payment, or Operations
Treatment
▪ Provision or
coordination of care
by or among health
care providers
▪ Referral of patients
by one provider to
another
▪ Coordination of
health care or other
services among
providers and
authorized third
parties
Payment
Operations
▪ Coverage
determinations
▪ Case management,
care coordination
▪ Billing, claims
management and
medical data
processing
▪ Audit/compliance
activities
▪ Review of health
care services for
medical necessity,
etc.
▪ Conducting or
arranging for
medical review,
legal services or
22
necessity
▪ Accreditation
Uses and Disclosures: Authorization Required
A covered entity must obtain a patient’s valid written
authorization prior to using or disclosing the patient’s PHI for
purposes other than TPO (unless specifically permitted by HIPAA)
• For use or disclosure of psychotherapy notes (exceptions) or
any use or disclosure of the patient’s PHI for marketing purposes
(specific exceptions)
• For any use or disclosure of the patient’s PHI that qualifies as a
“sale”
• Human Research
– Exception: Institutional Review Boards (IRB) may waive patient authorization for
certain research activities.
23
Uses and Disclosures: Permission Required
Uses and disclosures permitted if patient has the opportunity to agree or
object:
– Facility Directory Purposes
o
Limited information (name, location, general condition, religious affiliation)
o
Limited recipients (clergy, etc.)
o
Limited situations (with permission or emergency)
– To Individuals Involved in Patient’s Care
o
Limited information (information directly related to person’s involvement in care or payment)
o
Limited recipients (family members, close personal friends, others
identified by patient)
24
– Notification / Death (unless contrary to patient’s prior expressed preference)
Restrictions
There are also disclosure restrictions for:
– HIV information
– Psychotherapy notes (mental health)
– Drug and alcohol treatment
The types of information listed above are protected by federal and/or
state statute and may not be faxed or photocopied without specific
written patient authorization, unless required by law.
Additional signed authorization must be obtained for any disclosure
related to the restrictions noted above.
25
Exercise Good Judgment
in Other Situations
• Information may be shared with the patient’s family
and friends if these people are actively involved in a
patient’s care but you should seek direction from the
patient
• When this is not possible, health care providers may
use professional judgment to determine what
information to share with family and friends
• When in doubt, consult the Privacy Office
26
Disclosing Health Information is
Sometimes Required
Examples of required disclosures:
• Public Health Requirements
• Health Oversight Activities
• Judicial & Administrative Proceedings
• Organ Donation
• Public Safety
• Government Proceedings
• Workers Compensation
27
What is the difference between an incidental
and an accidental disclosure of PHI?
Incidental disclosure cannot reasonably be prevented, and is not a violation of HIPAA.
Examples include: a hospital visitor overhearing a provider’s confidential conversation with a
patient; or someone catching a glimpse of a patient’s information on a sign-in sheet.
Accidental disclosure is not permitted under HIPAA and would subject the
organization to penalties for the violation.
Examples include: unintentionally emailing a list of patients to the wrong recipient or misdirecting
a faxed referral.
The key is to make reasonable efforts to limit incidental disclosures and to
avoid accidental HIPAA violations.
28
Understanding the
Minimum Necessary Requirement
A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of
protected health information needed to accomplish the intended purpose.
When the minimum necessary standard applies to a use or disclosure, a covered entity may not use,
disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the
whole record as the amount reasonably needed for the purpose. The minimum necessary requirement is
not imposed in any of the following circumstances:
– disclosure to or a request by a healthcare provider for treatment;
– disclosure to an individual who is the subject of the information
– use or disclosure made pursuant to an authorization;
– disclosure to HHS for complaint investigation, compliance review or enforcement;
– use or disclosure that is required by law; or
29
– use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA
Administrative Simplification Rule
More on Minimum Necessary
Staff and providers are generally required by HIPAA to limit the
use and disclosure of PHI to the minimum necessary (“need to
know” basis) PHI to accomplish the job duty. Accessing PHI
should be based only on the employee’s work related functions.
Examples:
➢ When scheduling appointments, front office staff will probably
not need to have access to X-rays of a patient
➢ You forgot the time of your child’s next doctor visit. You
cannot use your access for this non work related activity
30
Use and Disclosure is limited to
Work Related Need
PHI should be
seen
by only those
who have a
work-related
need to see it.
PHI should be
heard
by only those
who have a
work-related
need to hear it.
31
PHI should be
shared
with those
who have a
work-related
need to
receive it.
Understanding Individual/Patient’s Rights
HIPAA provides individuals with rights to:
•
Receive a notice that tells how their PHI may be used and disclosed (Notice of
Privacy Practices (NPP))
•
Get a copy of or access to their medical and billing records
•
Request an amendment to inaccurate or incomplete PHI
•
Request an accounting of disclosures of PHI
•
Request restrictions on use and disclosures of PHI
– Includes out-of-pocket payment options
•
Receive confidential communications (such as medical or billing records) by
alternative means or locations
•
Be notified when their PHI is breached
•
Opt out of fundraising communications
32
•
Give authorization before their PHI can be used or shared for certain purposes
•
File privacy complaints to the covered entity or to the federal government
Distribution of Notice of Privacy Practices
• Providers are only required to give a copy of the Notice of Privacy
Practices (NPP) to new patients.
• Copies of the revised NPP must be available for existing patients to
request and take with them.
• Providers must post the revised NPP in a clear and prominent
location.
33
Marketing, Fundraising, and Sale of PHI
• Marketing: Before any disclosure or use of PHI, patient authorization must be
obtained to permit marketing if remuneration (financial, in-kind, or otherwise) is paid by
a third party to a CE or BA
Contact the Communications & Marketing office before beginning marketing activities
• Fundraising: An individual must be given an opportunity to opt-out of receiving
communication regarding fundraising.
– Treatment cannot be conditioned on not opting-out and opt-out provisions must be clear and conspicuous
Contact the Office for Advancement before beginning fundraising activities
• Sale of PHI: Receipt of remuneration (financial, in-kind, or otherwise) in exchange for
PHI is prohibited, unless there is a patient authorization.
34
Contact the office for Legal Affairs before considering sale of PHI
HIPAA Security Rule
35
Administrative
The
Security
Rule
How to protect it
Sets national
standards for
the security
of electronic
protected
health
information
Policies
Procedures
Safeguards
Technical
Encryption
Firewalls
Passcodes
36
Physical
Locked Doors
Security badges
The
Security
Rule
How to protect it
Electronic PHI (ePHI) is stored, transmitted or
received electronically. Examples of electronic
media include:
▪ Personal computers or laptops used at work, home or
while traveling
▪ External or portable hard drives
▪ Removable storage devices, such as USB drives, CDs,
and DVDs
▪ Phones, tablets, pagers
▪ Electronic transmission of data via the internet (e.g. email, file transfer)
37
The Security Rule Requires Covered Entities to:
1
Ensure the confidentiality, integrity, and availability of
all e-PHI they create, receive, maintain or transmit;
2
Identify reasonably anticipated threats to the
security of the information;
3
Protect against impermissible uses or
disclosures; and
38
4
Ensure compliance by their workforce.
The Security Rule Requires Covered Entities to:
5
Designate a HIPAA security officer
6
7
Conduct regular security assessments
Implement administrative, physical and technical
safeguards
39
Privacy Rule versus Security Rule
Privacy Rule
Security Rule
The individual’s view of what
a covered entity does with
his/her health information
The covered entity’s view of
how it protects an individual’s
health information
A set of “individual rights” to
be exercised by the individual
A set of standards to be
implemented to protect the
confidentiality and privacy of
the individual’s health
information
40
HIPAA Security Guiding Principles:
Ensure ePHI is used, stored, transmitted or
received with:
Confidentiality – Only the right people see it
Integrity – The information is what it is
supposed to be – no unauthorized alteration
or destruction
Availability – The right people can access
the ePHI when needed
41
Recognize and Respond to Security Events
Healthcare organizations are under attack – AU is no exception.
Methods will evolve as we strengthen our defenses, as such, we
cannot predict how the next attack will occur. Previous organizations
have experienced breaches through:
– Phishing: sending spoofed emails to try and compromise your
account
– Social engineering: impersonation of individual authorized to
gain access to sensitive information, and may be remote or onsite
– Hacking: exploiting technical vulnerabilities in systems to gain
access
– Theft or access: physical access to devices containing
sensitive
42
data for the purpose of stealing data or device
Recognizing Impermissible
Uses and Disclosures
43
HIPAA Privacy Violations – Examples
❑ Talking to neighbors or others about patients
❑ Speaking about a patient at a place of worship
❑ Accessing the health record of a co-worker or your own record
❑ Keeping paper records open so that anyone can see them
❑ Posting information about patients on the internet or social media
❑ Taking photographs or videos of patients or their family members
in the hospital or clinical settings without specific oversight and
applicable authorization
❑ Sending e-mails that contain patient information to people who do
not need to know or unencrypted emails to those who do
❑ Selling patient information
❑ Unsuccessful destruction of paper PHI
Remember: PHI can communicated in written, verbal or
electronic form!
44
Example of a HIPAA VIOLATION
Unauthorized Verbal Disclosure
of Medical Record
“Joe, I just thought I’d
give you a call and let
you know that your
neighbor, Mrs. Smith,
had heart surgery last
week – I am looking at
her record now. You
might want to go over
and check on her later.”
45
Example of a HIPAA VIOLATION
Public Discussion of PHI
Failure to Safeguard
“Did you hear
what happened
with Dr. Careless’
patient?”
“It was unfortunate that
he left that needle in Mrs.
Blaine. She almost died
from an infection.”
46
Example of a HIPAA VIOLATION
Social Media & Facebook Entries
Regarding PHI & Events at Work
“…take a look at this
photo with me and a
patient I’ve seen over
the past few weeks. I’m
so happy I was able to
celebrate his birthday
with him today…”
“…a confused patient,
Mrs. Jenkins, got
dressed and wandered
out of the building…it
took the staff 4 hours
to find her – she was
10 blocks away. What
a headache…”
47
Five Social Media Posting No-No’s
1. Anything with a photo of a patient
2. The well-meaning post
“Happy birthday Millie! I love being your nurse!”
3. The failed attempt at anonymity
“Treated a pregnant teen tonight for an overdose. So sad…”
4. The rant
“Alcoholic hockey players are so grumpy…”
5. The HIPAA problem AND the dignity problem
“Tired of cranky patients who argue with me over which shirt to wear!”
48
By Margaret Scavotto, JD, CHC
Example of a HIPAA VIOLATION
Sale of Patient Information
“…thank you for
supplying that list
of pregnant
patients…we
would be happy to
send them
information on our
new child care
products”
“…It was no problem!
Anytime you need this
information I’ll provide
it…of course I’m
assuming you’ll still be
providing me $15 for
every patient on the
list.”
49
Example of a HIPAA VIOLATION
Unauthorized Access of
Medical Record
“…Is that a
patient from our
group?
“…No, my newborn
niece is under the care
of Dr. Trouble and has
had some problems. I
just want to see if her
test results are back
yet.”
50
Unauthorized Access/Use
It is never acceptable for an employee to look
at PHI “just out of curiosity,” even if no harm is
intended (i.e., retrieving an address to send a
greeting card).
It also makes no difference if the information
relates to a ‘high profile’ person, a close friend
or family member, or even YOURSELF! – All
PHI is entitled to the same protection and must
be kept private and confidential.
To access your own health information, contact HIMS to
obtain a copy or to enroll in the VIP portal.
51
Example of a HIPAA VIOLATION
Unauthorized Disclosure of
Protected Health Information
“ Well this will
make you laugh.
It says that I am
pregnant. Oh
look here, I was
given someone
else’s discharge
papers.”
“ Let’s review
the papers
that you were
given upon
discharge from
the hospital”
52
Potential HIPAA Violation
Risk for
Identity Theft and Potential Patient Harm
I guess being off only
by one character
does make a
difference.
53
Failure to properly identify or input
information into the computer system
HIPAA Breach Notification Rule
54
Breach
• An impermissible acquisition, access, use or disclosure of
protected health information is presumed to be a breach
unless the covered entity demonstrates there is a low
probability that the PHI has been compromised
• Should be determined by the individual or department
delegated the authority to make such a determination
55
The Breach
Notification
Rule
Requires covered entities and
their business associates to
provide notification following a
breach of unsecured PHI unless
the covered entity can
demonstrate a low probability
of compromise after completing
a risk assessment.
56
HIPAA Breach Notification Rule Summary
1
Requires Assessment of the Incident
2
3
Requires Notification to the Affected Individuals,
HHS, and (in certain cases) the Media
Requires Reporting to Department of Health and
Human Services
57
Breach Notification Risk Assessment
• The nature and extent of the PHI involved, including
types of identifiers and likelihood of re-identification;
• Whether the PHI was actually acquired or viewed
• The unauthorized person who used the PHI or to
whom the disclosure was made;
• The extent to which the risk to the PHI has been
mitigated
58
System Access: Case Studies
Laura is in a custody battle with her ex-husband, Sam.
Sam’s fiancé, Stacey, has access to Laura’s electronic
medical record. Stacey used her authorized credentials to
access and review Laura’s chart then reports back to Sam
what she found out, with the hope that the information will
support his custody case.
59
System Access: Case Studies
Dan works in radiology. He overheard his co-worker talking
about taking x-rays of a patient who is CEO of a major
corporation in town. The patient was in an accident and the
local media has been reporting on the story. Dan used his
authorized access to review the CEO’s record. That evening he
posted details of the case on his Facebook page.
60
System Access: Case Studies
Marcia and Lily are “long-timers” at the hospital and have
known each other for years. They don’t socialize much after
work but consider each other good friends. Marcia learns
from a co-worker that Lily was admitted through the ED over
the weekend and it looks like she will be taking an extended
medical leave. Marcia is concerned about Lily so she uses
her authorized access to look up Marcia’s ED and triage
assessment to find out what’s wrong with her.
61
System Access: Case Studies
Two celebrity patients received treatment at a
hospital. Numerous employees repeatedly and
without a work related reason looked at the
medical records of the patients.
62
Unsecured PHI
Case Studies
A hospital employee left documents containing the names
and medical record numbers for a group of 192 patients on
the subway. The documents were never found.
Result:
The hospital agreed to pay the government $1 Million.
Why?
• The hospital impermissibly disclosed PHI by violating
provisions of the HIPAA Privacy Rule and
• The hospital failed to implement reasonable and
appropriate safeguards to protect the privacy of PHI when
63
documents were removed from the hospitals premises
Sanctions for Patient Privacy Violations
Disciplinary action should be taken depending on the severity of the violation, whether the violation was
intentional or unintentional, whether the violation indicates a pattern or practice of improper access, use or
disclosure of PHI. The sanctions imposed may include but are not limited to:
•
Counseling and Education – from the supervisor and/or the Enterprise Privacy Officer about policy noncompliance
•
Warning – verbal or written communication that warns them that the performance or conduct is
unacceptable and violates the policies
•
Suspension – administrative leave with/without pay (Manager shall review such action with Employee
Relations, Human Resources or Vice President of Human Resources prior to communicating with the
workforce member)
•
Discharge – a workforce member, contractor, or business associate may be terminated from employment or
contract. (Manager shall review such action with Employee Relations, Human Resources or Vice President
of Human Resources prior to communicating with the workforce member)
•
Notification to law enforcement officials and regulatory, accreditation 64and licensure organizations
Privacy Matters
to our Patients
By proactively protecting our patients’ privacy, we
are:
• Building a reputation for privacy, helping us attract
and retain patients
• Giving our patients confidence in their choice of
care provider
• Assuring patients that they can share sensitive
information without fear
• Positioning our organization for long-term success
65
Patient Privacy Monitoring Services
The systems that contain ePHI are
monitored 24/7 for unusual or suspicious
activity.
By working together to build a culture of
privacy, we can reduce the following
types of activities:
– VIP Snooping
– Coworker/Supervisor Snooping
– Household Snooping
66
Confidentiality Statement
Augusta University defines unauthorized
access or disclosure as:
• Access to student, patient, research
participant, employee or volunteer
information not necessary to carry out
your job responsibilities. This includes
access to the private records of your
family, friends and acquaintances that is
not for a legitimate or business use.
• Disclosure of student, patient, research
participant, employee or volunteer
records to unauthorized internal or
external recipients.
• Disclosure of additional or excessive
student, patient, research participant,
employee, or volunteer information to an
67
authorized individual/agency
than is
essential to the stated purpose of an
approved request.
This ends this lesson.
68