21. HIPAA
Under what circumstances are you free to repeat to others PHI that you hear on the job?
When your job requires it
covered entities
health care providers -physicians -dentists -hospitals -pharmacies -labs
did congress pass regulations for HIPAA?
no congress did not act 52,000 public comments effective date: April 14, 2001 implemented: April 14, 2003
basic principle:
only access info that you need to know to do your job and only tell others what they need to know to do their job
Title II - Preventing Healthcare Fraud and Abuse, Administrative Simplification, and Medical Liability Reform
primary section of HIPAA administrative simplification: -electronic transmission -privacy -security
Assuring that PHI is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being is the goal of the:
privacy rule
Which of the following is an example of an appropriate place to discuss PHI?
private patient room
business associates
provide services to healthcare providers -answering services -lawyers -collection agencies -health plans
what about state privacy laws
remember that HIPAA is the federal floor (not ceiling) states may have more restrictive privacy laws
what does the privacy rule prohibit/not allow?
the disclosure of PHI except as defined in the Privacy Rule or authorized in writing by the individual or his/her representative
In which case would you be required to release information without a patient's permission?
when a provider suspects child abuse
what does the privacy rule require?
you MUST disclose PHI: •As required by law (statute, regulation, court order) •Public health activities •Victims of abuse, neglect or domestic violence •Health oversight activities •Judicial and administrative hearings •Law enforcement purposes •Decedents (funeral directors, coroners) More required disclosures: •Organ, eye, tissue donation •Research •Serious threat to health or safety •Essential government functions •Workers' Compensation (as required by law)
basic privacy rule principle:
"A covered entity may not use or disclose protected health information (PHI), except either: 1) as the Privacy Rule permits or requires; or 2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing."
privacy rule
"A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being" •"The Privacy Rule protects all 'individually identifiable health information' held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper or oral.
covered entities responsibility
"Covered entities must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request."
who is affected by HIPAA (two groups)?
1. covered entities 2. business associates
What can happen to a person who knowingly violates patient privacy for personal gain or malicious harm?
A.Disciplinary action B.Loss of access privileges C.Fines and penalties D.Imprisonment ALL OF THE ABOVE!!!!
Patient health information includes:
A.Name, address, birth date, social security number, e-mail address B.Medical records, diagnosis treatment, test results C.Billing records, census reports, referral authorizations ALL OF THE ABOVE!!!!
Under HIPAA a patient has the right to the following information
A.To receive a Notice of Privacy Practices B.To see or receive a copy of his/her PHI and to request corrections C.To ask that PHI be sent to him/her at a different address or in a different way D.To request limits on how his/her PHI is used and disclosed and to receive a list of disclosures ALL OF THE ABOVE!!!!
HIPAA's Privacy rule protects patient information in which of the following formats:
A.Verbal B.Paper C.Electronic ALL OF THE ABOVE!!!
A person or entity that provides services to health care providers is known as a:
Business associate
When is the patient's authorization to release information required?
In most cases when patient information is going to be shared with anyone for reasons other than treatment, payment or healthcare operations
when was HIPAA enacted?
•Enacted on August 21, 1996 •Required Congress to pass regulations by August 21, 1999. •Department of Health and Human Services to develop regulations if Congress did not
who introduced HIPAA and why?
•Introduced by Senators Kennedy and Kassebaum to: •need standards to protect the privacy of patient records and •streamlining of billing and reimbursement processes.
students having HIPAA problems:
•One study found that 60% of US medical schools "reported incidents of students posting unprofessional content online" •Thirteen percent of the incidents involved violations of patient confidentiality •About 8% of posting violated HIPAA
patient rights
•To inspect and obtain copies of medical records. •To amend information the patient believes is incorrect subject to organizational approval. •To request an accounting of disclosures for those disclosures other than for treatment, payment or healthcare operations. •Reports made subject to State and Federal laws such as disclosures to funeral homes, communicable diseases, vital statistics. •To request restrictions on what information is provided to others - exception if patient pays cash then information cannot be released to the insurance company. •To request that confidential communications are provided by a particular means or location - exception for emergencies. more exceptions: •Copies may be denied if likely to endanger the life or physical safety of the individual or another person. •Amendments may be denied denials must be in writing and include: reason for denial and directions for filing a complaint
what do covered entities do to protect PHI?
•Written policies and procedures •Designated privacy officers •Annual education •Business Associate Agreements with covered entities •Reasonable efforts to protect PHI: •Limiting access to electronic records •Auditing those who access electronic records •Shredding of documents •Conducting audits and surveys of physical security of PHI. •Screensavers •Fax cover sheets •Patients receive "Notice of Privacy Practices" outlining patient rights. •They discipline those who violate policy: •Oral warning with retraining •Written warning with more retraining •Termination •Referral to law enforcement
what you can do/will do:
•You can access records for which you have a legitimate need to access. •You can share PHI with those who need to know. •You can discuss PHI in appropriate places. •You will verify that you can share information with someone, such as a family member, by asking the patient or by reviewing their written authorization, or asking for the password/code assigned by the covered entity if there is one. •You will follow all the covered entities IT policies and procedures.
what does the privacy rule permit/allow?
•You can disclose PHI to the individual who is the subject of the information. •You can disclose PHI while providing treatment to a patient to other health care providers involved in the treatment and/or referral of a patient. •You can disclose PHI to obtain reimbursement for services provided to an individual. •You can disclose PHI for health care operations, such as quality assurance, case management, credentialing, and accreditation and the training of students and residents. •You can disclose PHI by obtaining informal permission by asking the individual outright as long as the individual has the opportunity to agree, acquiesce, or object. Examples include facility directories and permission to disclose information to family members.
some things you are advised NOT to do:
•You should not access PHI for which you have no legitimate reason to access. •You should not discuss PHI in public places such as elevators, bathrooms, lobbies, etc. •You should not share your computer password or use someone else's password. •You will not store PHI on your PDA unless approved by the covered entity. •You should not throw PHI in regular trash cans. •You should not leave PHI in a place that can be accessed or seen by the public. •You will never use social media to discuss patient information. •Do not try to access your records or those of your family members or friends.
What does PHI stand for?
Protected Health Information
Are employees who are not actively involved in the care of a patient allowed to review a patient's chart out of intellectual curiosity?
NO
It is permissible for medical students to enter PHI into their personal use devices such as smart phone which have not been approved for such use by the health care facility?
NO
You have forgotten your password and need access to the computer to perform your work duties. What should you do?
Request a new password according to the organization's policy
TRUE OR FALSE: Assessing your own medical record on paper or electronically is completely acceptable and would not be considered a HIPAA violation.
TRUE
true or false: Privacy and confidentiality are NEVER more important than PATIENT SAFETY
TRUE
what is individually identifiable health information?
•"...information, including demographic data that relates to: •The individuals past, present or future physical or mental condition; •The provision of care to the individual, or •The past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is reasonable basis to believe can be used to identify the individual"
what is the basic principle?
•A covered entity (you): • may not use or disclose PHI, except either •1) as the Privacy Rule permits or requires; or •2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.
civil and criminal penalties
•Civil - $100 per incident not to exceed $25,000 for identical violations per year •Criminal: •Up to $50,000 and 1 year for knowingly and improperly obtaining or disclosing PHI •Up to $100,000 and 5 years if the offense is committed under false pretenses •Up to $250,000 and 10 years for obtaining or disclosing PHI with the intention to sell it or use it for malicious purposes.
security rule
•Confidentiality - PHI (protected health info) is not available or disclosed to unauthorized persons or processes •Integrity - PHI is not altered or destroyed in an unauthorized manner •Availability - PHI is accessible and usable upon demand by an authorized person
