Embed Size (px)
Citation preview
The Supervisor & The Law/HIPPACh. 27 & 28
Affirmative Action & Equal Employment Opportunity
Title VII of the Civil Rights Act of 1964-
The Equal Pay Act of 1963-
The Age Discrimination in Employment Act of 1967 (ADEA)-
The Older Workers Benefit Protection Act of 1990 (OWBPA)-
The Americans With Disabilities Act (ADA)-
Civil Rights Act of 1991-
Family and Medical Leave Act of 1993 (FMLA)-
Sexual Harassment-
HIPPA 101
Health Insurance Portability and Accountability Act of 1996.
For most people, it’s about continuity and renewability of employee health insurance, use of medical savings accounts, and long-term care coverage.
For healthcare, it’s really about Privacy Rules and their requirements.
HIPPA is overseen by the Department of Health and Human Services.
New HIPAA Rules
• Your facility must notify patients and others quickly of breaches of “unsecured protected health information” (PHI)
– Notice required within 60 days of discovery of a breach involving unsecured PHI
• Example of unsecured PHI:
– PHI on a laptop that is not encrypted
– Paper records with PHI that are tossed in the trash instead of shredded
– A misdirected fax
New HIPAA Rules
• A “breach” is a use or disclosure of unsecured PHI that is not permitted by HIPAA and that creates a significant risk of harm to the patient or other persons– Harm to a person’s reputation;
– Harm to a person’s finances; or
– Any other type of harm
• Any use or disclosure of PHI that is not allowed by our HIPAA privacy policies might be a breach and needs to be reviewed by the Privacy Officer right away
What you need to do• You Must report any time you know or suspect that protected health
information has not been used properly or is lost, stolen or misdirected - even if the improper use seems minor
• Report it to your supervisor and the Facility Privacy Officer immediately (or Compliance if the Privacy Officer is not available)
• The Facility will have a Committee that will meet to determine if the breach must be reported under the rule.
• Failure to report (even a minor breach) can lead to discipline– This is
important.
Another new law- Red Flag Rules
• Be on alert for “red flags” of possible identity theft• Examples of red flags:
• A picture ID that does not match the person• An ID that looks forged• A date of birth provided by the patient that does not match information already on file
• If you see something that might be a red flag, notify the Privacy Officer right away
• The Privacy Officer will review the red flag report and take appropriate action
Practice, look at some scenarios….
Scenario #1 - HIPAA
Ted is a nurse who works in the Radiology Department. His wife, Jill, who is also a nurse, often picks him up from work. She often arrives early. Since she is familiar with the staff, she hangs out with Ted’s coworkers until the end of Ted’s shift. She sometimes helps with patient files. She also talks with Ted’s coworkers about patients.
• Is it ok under HIPAA for Jill to wait for Ted in the department?
• What if she waited in the patient waiting area?
• Can she help with patient records since she is a nurse?
• If she sees patient health info, is this a breach? If so, and you find out, do you need to report it?
Scenario #2 - Gifts
Mary is an employee of the hospital. A patient overheard that her birthday is coming up. To show his appreciation for her hard work, he wants to give her a $100 gift certificate in recognition of her birthday.
• Can Mary accept the gift?
• Why or why not?
• If she wants to accept the gift what should she do?
• Instead of a $100 gift certificate, what if the gift was tickets to a concert?
Nurse Smith, is the director of the clinic Dr. Jones practices in. Nurse Smith would like to recognize Dr. Jones for his hard work and help he gives the staff. Nurse Smith knows the hospital has football tickets and would like to give him tickets to an upcoming game.
Scenario #3 - A Different kind of Gift
• Can Nurse Smith give Dr. Jones the tickets?
• What makes giving gifts to physicians different?
• What about other free or reduced items?
Scenario #4 - Business Practices
Mr. Green is a billing clerk. He has received four calls today from patients complaining that there was a service listed on their bill that was never provided - all from the same clinic. Based on information provided by the patient, he thinks that the services were never provided.
• Can Mr. Green remove the charges for services the patients state did not take place and be done with it?
• What could be some consequences - to him, to the facility, to the clinic if these charges are phony?
Scenario #5 - Reporting
Rather than deleting the codes, Mr. Green decides to report it to his supervisor for follow-up and in the hope that he can get guidance on how to handle the issue. His supervisor tells him not to worry about it, just remove the charges if patients complain, otherwise leave it alone or he’ll be in trouble.
Was Mr. Green correct to report this to his supervisor?
Who else can he report this to?
Can he do it anonymously?
What exposure under the Code of Conduct does the
supervisor face?
Scenario # 6 - Vendors
Bob, a therapist, notices that pharmacy reps have been visiting the facility. They make sales pitches about their drugs while bringing lunches for employees and physicians. The vendors also invite everyone for after work drinks where they buy. Bob also notices that the reps sometimes don’t display a visitor’s badge.
Later, Bob strikes up a conversation with Joe, a member of the housekeeping staff. Joe brags that he got a sweet deal on a used pickup from Cindy- 50% cheaper than any similar pickup he could find on the internet. Bob knows that Cindy sells housekeeping supplies to the facility.
Has there been a Code of Conduct violation?
What does Bob need to do if he has concerns?
Can a vendor ever provide food to the facility?
What about the lack of a visitor badge?
What about Joe? Does Bob need to report this? What
has Joe done wrong if anything?
Scenario #7 - Documentation
Nadine is filling out documentation. She knows the documentation is important for reimbursement and that auditors could rely on her documentation. Lately she’s been under pressure to be more productive. She blames her boss for the pressure and knows everyone else cuts corners. She decides it wouldn’t hurt anything to expand her time entries by a few minutes besides she puts in extra work.
She could be a therapist recording patient session times; a secretary filling out work time; a physician documenting E&M codes; an accountant recording journal entries; Think about your own job
Has Nadine put herself at risk?
What about the facility? Has she placed the it at risk?
What would you do if you suspected Nadine’s time
sheets weren’t accurate?
What if you knew and didn’t do anything?
HIPAA in the News• “Nurse Prosecuted over HIPAA Breach”
• “VA to Pay $20 Million in Data Breach Case”
• “CVS Pays $2.25 Million and Tightens Practices to Settle HIPAA Privacy Case”
• “Employees Fired for Viewing Mother of Eight’s Records”
• “Missing Flash Drive Could Constitute Federal Offense”
HIPAA in the News• “UCLA Medical Center Leak Becomes
Flood”
• “ACLU tells Congress to “go to the gold star standard” in patient privacy
• “Hospital Employees Fired for Taking, Posting Photos On-line
• “Swedish Hospital Suspends Nurse who Posted Surgery Photos on Facebook”
• “Tenet Employee Charged with Theft, HIPAA Violations”
Identity Theft in the News• “Technologist Charged With Patient
Credit Card Theft”
• “Healthcare Staff Frequent Participants in Medical Identity Theft”
• “Identity Thefts in the Healthcare Industry on the Rise”
• “Former Cedars-Sinai Employee Held for Identity Theft, Fraud”
