Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:Introduction to Health Care and Public Health in the U.S.
Unit:Regulating Health Care
Lecture:The Role of Medical Records in U.S. Health Care
Slide content:Compliance Beyond Fraud and Abuse HIPAA Privacy and Security Rules What is the plan for appropriate release of PHI? How is the tracking of release occurring? Who is responsible for breach notification? What training is being done? Is there a team reviewing policies and procedures? 15
Slide notes:Compliance programs, when broadly applied to a health care organization, are concerned with more than just fraud and abuse. A comprehensive compliance program takes into consideration all rules, regulations, and laws. For example, organizations must follow the policies and procedures of HIPAA pertaining to the release of personal health information, or PHI and the security of data. The health information management department manages requests for PHI after the patient leaves the facility. Requests may come from patients, lawyers, other health care providers, and other entities. Department personnel are trained in the most up-to-date rules relating to the release of information. The business office releases health information when needed for claim payment . Sometimes nursing stations release information upon discharge to an extended-care facility. Therefore, several departments may be releasing PHI and need to be well trained about HIPAA policies. Tracking the release of personal health information must be systematic and transparent. Breaches in security need to be tracked as well. Humans make mistakes, and information may be sent to the wrong patient or third party. When a facility knows this has happened, it must follow relevant policies and procedures as established in the corporate compliance plan. Likewise, large breaches of data must be reported to the Department of Health and Human Services. For example, a large data breach includes loss of a laptop containing the PHI of 500 or more patients. There are policies and procedures for notifying individual patients when privacy is breached. All department managers and key personnel must review policies and procedures to address any issues related to the release of information. Although general HIPAA training is mandated for all personnel, additional in-depth training is needed in high-risk areas where breaches could occur. Those areas of risk must be identified and training must be ongoing to ensure compliance. 15