HIPAA Training
HIPAA ENFORCEMENT RULE
-Addresses compliance, investigations, and potential penalties for violations of the HIPAA Privacy Rule and Security Rule. -The OCR within HHS is responsible for enforcing the HIPAA regulations. -Responding to incidents Document any known violation of privacy protection Establish and publicize a disciplinary policy -Building a culture of compliance Everyone in the organization sees him/herself as responsible for the privacy and security of health information. Identify and correct gaps regularly
RELEASE OF INFORMATION WITHOUT AUTHORIZATION - HIPAA allows "directory information" if :
-An inquirer has first and last name -There is no restriction of information by patient -Patient is not receiving mental health or chemical dependency services (Mental health and dependency services are not included)
HIPAA PRIVACY RULE
"The Rule strikes a balance between that permits important uses of information, while protecting the privacy of people who seek care and healing." National standards to protect health information Sets conditions on how health information can be used and disclosed by covered entities Gives patients rights over their protected health information (PHI)
Minnesota Minor Consent Law
-Any minor may give consent for medical, mental, and other health services in the following situations: Pregnancy Sexually Transmitted Diseases/Infections Drug or Alcohol Abuse Contraceptive Care -The minor is entitled to confidentiality for these visits If asked, we need to ensure information about these visits is not released without the minor's consent
Release of Information
-Understand and Follow Release of Information Policies A Release Form needs to completed for most releases of information The entire form needs to be completed and sent to Medical Records Exceptions Immunization Records can be released to Patients, Parents, Schools, or Day Care Centers State Mandated Reporting for STI's and other diseases do not need a release
Conversations
-When possible, discuss patient information privately, such as behind a closed door. -Avoid discussing patient information in waiting rooms, break rooms, etc. -Remember to talk quietly.
HIPAA VIOLATIONS Accidental Violations (& examples)
Accidental Violations : PHI is disclosed to an unauthorized person by mistake. Examples Unintentionally faxing or sending patient data to an incorrect destination Unintentionally exposing patient data to someone who shouldn't see it
HIPAA ENFORCEMENT RULE
All breaches must be reported to OCR Breaches >500 patients must be reported to news media Document all steps taken to correct the breach Cooperate quickly and fully with the investigators
HIPAA's purposes:
Balance between improving the flow of information while protecting the privacy of patients. Provide more control to patients over their personal health information Punish those who misuse patient information by imposing criminal and civil penalties.
HIPAA PRIVACY RULE Business Associates
Business Associates -Do the associates perform a service on the behalf of the healthcare organization that requires access to or using and/or disclosing our patient's PHI? Outsourced Labs Coding Virtual Radiology Attorneys Locum Tenens
Computer Etiquette
Don't share your Username and Password Don't post Usernames and Passwords on your computer, notebook, tablet, under your keyboard, etc. Create secure passwords When leaving a computer, ALWAYS: Log off, OR Lock the computer screen
These departments work together to ensure confidentiality of health medical records.
HIPAA OCR ONC HHS
HIPAA PRIVACY RULE 8. Sale, marketing, and fundraising
HIPAA prohibits the sale of PHI without the patient's authorization. Practices can communicate with patients about their services, send refill reminders, and send letters about health-related goods and services as long as the practice does not receive payment for doing so. HIPAA allows for patients to opt out of fundraising communications.
What is Minimum Necessary?
Minimum Necessary: To use or release only the information necessary to accomplish the intended purposes of the use, disclosure, or request For Employees: Access to PHI is limited to a "need-to-know" basis For individuals not employed at location: Limit the PHI provided to meet the needs of the request
HIPAA SECURITY RULE
National standards to protect electronic health information Sets conditions to ensure electronic health information is Not available to unauthorized persons Not altered or destroyed in an unauthorized way Available to authorized users when needed All the electronic protected health information (e-PHI) is covered by the security rule. The security rule does not cover oral or written protected health information. Sets standards for safeguarding protected electronic health information Requires covered entities to establish data security measures only for PHI that is maintained in electronic format. Includes handheld devices
OCR
Office for Civil Rights
ONC
Office of the National Coordinator for Health Information Technology
HIPAA History
Originated in 1996 creating standards for Protection of patient confidentiality Security of electronic systems Electronic transmission of health information 2003: Initial purpose was to set standards for transmitting electronic health data and to allow people to transfer and continue health insurance after they change or lose a job. 2009: HITECH Act Created financial incentives for healthcare providers and insurers to continue shifting to EMR And addressed privacy and security concerns related to the electronic transmission of health information. 2013: Updates to 2003 and 2009.
HIPAA PRIVACY RULE It also explains how covered entities can use and disclose:
PHI (Protected Health Information): all individually identifiable health information that is transmitted or maintained in any format or medium Electronic Handwritten Conversations
HIPAA PRIVACY RULE 1. Right of access
Patient has the right to access their own medical records within 30 days of the request. Exception is mental health notes. Health organizations can not charge for the medical record but can charge a handling fee to pay for staff, paper, postage to provide the copy. Health organizations can not withhold a copy of the medical record due to non-payment or from other providers/health organizations.
PHI Includes: Patient identifiers such as : Items in the record such as:
Patient identifiers such as : Name Patient ID Number Social Security Number Health Plan Number Date of Birth Phone Number Street Address Email Address Items in the record such as: Encounter/visit documentation Lab Results Appointment dates/times
HIPAA PRIVACY RULE 6. Right to restriction
Patient may opt to restrict disclosure of their PHI to health plans if they pay out of pocket for goods or services. Patients may direct how they wish to be contacted, such as through a particular phone number or address and if a message may be left.
What is "DIRECTORY INFORMATION" ?
Patient's name Condition (undetermined, good, fair, serious, critical) Location in facility Religion (clergy or community faith leader only)
HIPAA PRIVACY RULE 5. Friends and Family
Patients can request that their information be shared with their friends and family. A provider may also share information with these persons if, using professional judgment, he or she decides that it is in the best interest of the patient. Professional rules may require a provider to share information if the patient presents an imminent threat to themselves or another person.
HIPAA PRIVACY RULE 4. Authorization
Patients have the right to decide how their information is used or shared. Must sign a release. The exception is medical record release for payment or health care operations. Specifically, patients have the right to decide if their information can be shared with employers.
HIPAA PRIVACY RULE 3. Accounting for Disclosures
Patients have the right to know with whom their information has been shared. On request, you must be able to provide a report to your patient of the entities with whom their PHI was shared.
HIPAA PRIVACY RULE 2. Amendment
Patients have the right to request that information in their chart be amended. If the provider disagrees with the amendment the patient must be notified in writing of the following: The basis for the denial Their right to file a statement of disagreement to be kept in their file and be included with future PHI disclosures Their right to complain to the covered entity or Secretary of Health and Human Services Contact information for the covered entity's privacy officer.
HIPAA SECURITY RULE Physical Security: Technical Security: Culture of Compliance:
Physical Security: Lock offices Screen PHI from public view Technical Security: Use passwords on desktop and portable devices Encrypt data Culture of Compliance: Treat information as you would treat the patient
HIPAA PRIVACY RULE 7. Notification of privacy practices
Practices must issue a notice of privacy practices to all patient on their first visit and patients must be able to take home a copy. Practices must have a mechanism for patients to register complaints about information privacy, and to have those complaints addressed free from retaliation. HIPAA compliance officer
HIPAA Details Contains:
Privacy Rule Security Rule Enforcement Rule
PHI
Protected Health Information
HIPAA PRIVACY RULE applies for how many years after death?
The privacy rule applies for 50 years after death.
CMS
centers for medicare and medicaid services
EHRs
electronic health records
EPHI
electronic protected health information
ORC
office for civil rights
PHI is Individually Identifiable Health Information relating to:
-Identity of the individual (name, birthdate, address, etc.). -Health/condition of an individual. -Payment for health care of an individual.
CURB YOUR CURIOSITY
-New York City's public hospital system Suspended 39 employees without pay for peeking at the private medical records of a 7-year-old girl who died from beatings and torture, and became a tabloid and TV news sensation Dozens of workers at the Woodhull Medical and Mental Health Center couldn't resist looking at the child's computerized medical file The unpaid suspensions lasted from 30 to 60 days, and each of the sanctioned employees were required to undergo training in patient privacy rules before they returned to work.
Workplace Auditing
-Required by law -Random and targeted audits of user access to determine: Appropriateness of access Compliance with NHS's policies -Some Things employers will look For: Accessing or changing a patient record outside the scope of a job function Accessing a family member's record Accessing your own record Discarding chart updates
Texting and Email
Do not send patient information in email to people outside of your organization Do not communicate with patients using email or text without patient consent Do not send patient information in a text message
HIPAA PRIVACY RULE Permitted uses and disclosures:
1. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. Treatment: Provider may use patient's medical records Payment: Medical organization may use patient's medical records to generate an insurance claim and obtain payment. Health care operations: Case management and care coordination. 2. If the individual authorizes in writing
MINIMUM NECESSARY RULE
A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. -Applies when using or disclosing protected health information (PHI) or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request" -Specific request of medical records -Send home remaining records with patient.
HIPAA PRIVACY RULE 9. Sharing Immunization Records
A health care provider may disclose proof of immunization about a student or prospective student to a school for those immunizations that are required by state law. With oral or written disclosure from a Parent Guardian Student if emancipated minor or adult
HIPAA PRIVACY RULE Covered Entities include
Covered Entities include Doctors(providers), clinics, hospitals, dentists, nursing homes, and pharmacies that transmit information electronically. Health plans Healthcare clearinghouses An organization that acts as a go between for health care providers and health plans. Example: a clearinghouse may take information from a provider and put it into coded format to be used for insurance purposes.
HHS
Department of Health and Human Services
Talking about work
Do not share a patient's name or any other information that may identify him/her with family, friends, or anyone else.
HITECH
Health Information Technology for Economic and Clinical Health Act
HIPAA
Health Insurance Portability and Accountability Act
HIPAA PRIVACY RULE Identifiable: & De-identified data:
Identifiable: Information can be linked to the individual De-identified data: Has 18 specific identifiers removed and therefore is considered to make the individual who is the subject of the information unidentifiable. This means de-identified data is not protected under the HIPAA Privacy Rule as PHI and covered entities can use and disclose it more readily.
HIPAA VIOLATIONS Incidental Violations : (& examples)
Incidental Violations : Precautions are taken to safeguard PHI but someone happens to hear or see PHI. Examples Someone overhearing a conversation with a patient Someone catching a glimpse of a patient's information
Protected health information (PHI): (HIPAA PRIVACY RULE)
Information that relates to the patient's past, present, or future physical or mental health or condition to the provision of health care to an individual Or to past, present, or future payment for the provision of health care to the individual.
HIPAA VIOLATIONS Intentional Violations : (& examples)
Intentional Violations : Careless or deliberate misuse or unauthorized disclosure of PHI. Examples Accessing patient records without proper authorization Revealing patient information to unauthorized persons Purposefully altering or deleting health information
Compliance
It is your responsibility to comply with all privacy and security laws, regulations, and policies. If you ignore the rules and carelessly or deliberately use or disclose health information, you can expect: Disciplinary action, up to and including termination Civil and/or criminal charges.
RECENT PENALTIES (HIPAA)
March 2009 -Massachusetts General employee left records for 192 patients on a train -Records contained name and medical record number for all 192 patients -Contained DOB, medical insurer, policy number, diagnosis, and provider names for 66 of the patients February 25, 2011 Ordered to pay $1 million resolution fine (max fine is $1.5 mil) Must implement a corrective action plan
HIPAA PRIVACY RULE
Right of access Amendment Accounting for disclosures Authorization Friends and Family Right to Restriction Notification of Privacy Practices Sale, Marketing, and Fundraising Immunization Records
What is Treatment-Payment-Operations?
TPO: Treatment-Payment-Operations -Use and/or Disclosure without a signed authorization is allowed for: Treatment - providing care to patients. Payment - health insurance benefits and premium payment. Operations - quality improvement, training, insurance eligibility, etc. -PHI used outside of TPO is not allowed without a signed authorization.
HHS
US Department of Health and Human Services
HIPAA rules say:
You can't talk about patients outside of the office with anyone- ever. You should only access the medical information that is needed for your job/clinical experience. You need patients to give permission before you can give information to others on their behalf. Keep medical records in a secure place- both paper and electronic.