Privacy and Security (HIPAA)
Telephones
-Do not use patients' names if unauthorized individuals are in the area and can overhear. -When leaving messages, simply ask patients to return the call. Do not speak about any confidential information.
The Purposes of HIPAA
-Privacy of Health Information -Security of Electronic Records -Administrative Simplification -Insurance Portability
Medical Facility Responsibilities
Medical facilities must abide by HIPAA and Privacy Rule regulations. Each facility must have a written policy for adhering to these rules. The policy must be recorded in electronic and paper form.
Security Rule Safeguards
-According to the Security Rule, health care facilities must provide three types of safeguards when using electronic records.
Patient Rights under the Privacy Rule
At a patient's first visit to a health care facility, the patient must be given a written copy of the facility's rules and the patient's rights regarding protected health information.
Technical Safeguards
include rules for protecting electronic information. For example: -All medical records should be password-protected, and passwords should be updated regularly. -Information that is transmitted electronically should be encrypted. -All computer systems must have effective anti-virus software.
Emotional abuse
includes excessive demands. It includes insults and humiliation. It also includes jealousy, control, and isolation. Emotional abuse includes stalking and threats. And it includes lack of affection and support.
Sexual abuse
includes using sexual gestures, suggesting sexual behavior, and unwanted sexual touching or acts.
privacy
defined as a patient's right to control the use of protected health information.
Administrative Safeguards
include rules for managing employees who have access to protected health records. For example: -Policies must be in place regarding which employees are allowed to access information. -All employees should complete security awareness training.
Physical abuse
includes hitting, kicking, pushing, shaking, pulling hair, pinching, choking, biting, burning, scalding, and threatening with a weapon. It also includes inappropriate restraint. And physical abuse includes withholding food and water, not providing physical care, and abandonment.
Authorization
the permission that patients give in order to disclose protected health information. Several elements must be included in formal authorization.
Confidentiality
using discretion when handling protected health information. So then, patients have the right to the privacy of their health information, and health care employees have the responsibility to keep a patient's health information confidential.
Medical Records
-Personal information, such as full name, phone number, address, work number and address, birth date, social security number, and marital status -Medical history -Description of symptoms -Diagnoses -Treatments -Prescriptions and refills -Records of patient's telephone calls -Name of legal guardian -Name of power of attorney -Notes about copies of medical records
Privacy of Health Information
-According to HIPAA, a patient's health information is private. Before a patient's information is released to anyone, such as a family member or another physician, the patient must give written authorization. -The privacy regulations are outlined in a section of HIPAA called the Privacy Rule. The Privacy Rule provides detailed instructions for handling and protecting a patient's personal health information.
disadvantages of electronic medical records
-Additional hardware, software, and licensing costs -Resistance to giving up paper records -Difficult data entry -Training -Computer downtime, such as unexpected failure or routine servicing -Confidentiality and security concerns, such access of information to unauthorized individuals
Insurance Portability
For example, suppose that Rose Wilson had health insurance through her employer. After several years of employment, Rose developed a heart condition. She decided to quit her job and begin her own business working from home. When Rose applies for a new health insurance policy, it is illegal for the insurance company to deny coverage on the basis of her pre-existing heart condition.
Medical Facility Responsibilities
When patients come to a medical facility for the first time, they must receive a copy of the facility's privacy policy. This is called the Notice of Privacy Practice form. All patients must read and sign the form. In addition, patients must sign a Release of Information form to allow the facility to disclose medical information to authorized entities or people.
Protected health information (PHI)
is any individually identifiable health information about a patient. This is information about a patient's health status, provision of health care, and payment for health care that also identifies the patient's name, social security number, address, telephone number, date of birth, etc. PHI can be oral-, paper-, or electronic-based.
Fax machines
-Contact the receiver and verify the fax number of the receiving location before faxing confidential information. -Do not fax confidential information to unauthorized individuals. -Attach a cover sheet that contains a confidentiality statement. -Do not fax confidential information if unauthorized individuals are in the area and can see the information. -Do not leave fax machines unattended while faxing confidential information. --Make sure to collect confidential information from fax machines. -Do not throw unneeded faxes of confidential information in trash cans. Instead, this should be shredded. -Contact the receiver after faxing confidential information.
Copiers
-Do not copy confidential information if unauthorized individuals are in the area and can see the information. -Do not leave copiers unattended while copying confidential information. -If a paper jam occurs, be sure to remove the copies that caused the jam from the copier. -Make sure to collect all copies of confidential information as well as the original from the copier. -Do not throw unneeded copies of confidential information in trash cans. Instead, these should be shredded.
Security of Electronic Records
-In recent years, there has been a trend in health care facilities to convert all medical records from paper form to electronic form. -Electronic medical records (EMR) help the health care industry to operate more efficiently. However, EMR creates many security and privacy issues. As a result, HIPAA provides regulations to make sure that confidential records are kept secure. This is called the -Security Rule.
Electronic Medical Records advantages
-Instant access -Remote access to up-to-date information -Simultaneous access -Decreased time to record information -Legible -Better organization -Flexible data layout -Automated checks and reminders -Increased privacy and decreased tampering, destruction, and loss due to required authorization
Confidentiality of Electronic Records
-Limit individuals who have access to records by using passwords, fingerprints, voice recognition, and eye patterns. -Require codes to access specific information. -Place monitors in areas where others cannot see the screen. -Do not leave monitors unattended while confidential information is on the screen. -Do not send confidential information by e-mail. -Back up data. Constantly monitor and evaluate the use of electronic medical records.
Right to request confidential communications
Patients may request reasonable, alternative forms of communication. For example, a patient may ask to be contacted at a work phone number instead of a home phone number.
Right to request restrictions on certain uses of protected health information
Patients may select which items in their medical records should not be disclosed. For example, a patient may restrict an item in the medical record if the previous health condition is no longer applicable or if the patient feels that it will cause embarrassment.
Printers
-Do not leave printers unattended while printing confidential information. -Do not print confidential information on printers that are shared by unauthorized individuals. -Do not print confidential information on wrong printers. Make sure to collect printouts of confidential information from printers. -Do not throw unneeded printouts of confidential information in trash cans. Instead, these should be shredded.
Right to request an amendment of protected health information
Patients may request a change to their medical record if they feel that something is incorrect. The requests must be made in writing. Facilities must respond in a timely fashion. In some cases, the requests may be denied.
Administrative Simplification
-Because most health care agencies have adopted an electronic records system, there was a need for national standards for health transactions. These standards are created in HIPAA in the Transaction and Code Set Rule. As a result of this rule, all medical transactions and codes have become the same nationwide. For example, a medical office assistant will be able to submit an insurance claim in the same format for any insurance plan and any insurance company. -By standardizing these transactions, the health care industry has simplified its claims process. The process for transmitting data has also become more efficient. Standard, electronic claims are filed faster. And they are typically more accurate than the old paper forms.
Right to access a copy of protected health information
With the exception of psychotherapy notes, patients may access, inspect, and obtain a copy of their medical records. Typically, the request must be made in writing and acted on within 30 days. Most facilities will charge a fee to patients to obtain copies of their medical records.
Proper Maintenance
Medical records are legal documents. Therefore, they must be properly maintained. Specifically, medical records must be complete, legible, and timely. In addition, all information in records must be objective and the information must be initialed and dated. Subjective observations made by health care workers should never be included. On the other hand, subjective statements made by patients may be included. These should be recorded in patients' exact words and quotation marks should surround them. -Furthermore, errors should never be erased or covered with correction fluid. Instead, a single line should be drawn through an error so that the error is still readable. And the word "error" should be written and initialed. An explanation of the error may be included. Then, correct information may be inserted, initialed, and dated. -Records should also be kept for at least two to seven years, according to federal and state laws. When records are destroyed, they should be shredded.
Ownership of Medical Records
Medical records belong to health care providers, but patients have the right to see and obtain a copy of their records. The exception to this is patients with mental illness. This is because knowledge of their medical information may make such patients' condition worse. In addition, if a patient's employer or prospective employer pays for a job-related physical examination, the employer, not the patient, has the right to see and obtain a copy of the records. In this case, the employer must give permission for the patient to see and obtain a copy of the records.
Disclosure
release, transfer, or provision of access to protected health information. Patients must give permission for their health information to be disclosed to other people, including other doctors, family members, friends, health insurance companies, employers, and attorneys.
Signs of Abuse
-Patient statements -Unexplained injuries, such as bruises, abrasions, fractures, bite marks, and burns -Unreasonable explanations for injuries -Malnutrition and dehydration -Poor personal hygiene -Pain or bruising in the genital area -Unexplained genital infections -Emotional problems, such as anxiety, depression, aggressiveness, - changes in appetite, problems at school or work
The Privacy Rule
-established nationwide standards that are used to protect private patient information. For example, personal health information may only be shared among the members of a patient's health care team. Under most circumstances, it may not be disclosed to anyone else without the patient's permission. Violations of the Privacy Rule may include civil and criminal penalties, such as fines and loss of license. -The Privacy Rule was not intended to slow down health care or to make health care more complicated. Rather, the rule was created to protect private health information while still allowing the flow of necessary information. As a result, patients should feel confident that their information is being treated properly and respectfully.
Physical Safeguards
-include rules for providing a safe and hazard-free environment in which to store medical records. For example: -Doors should be locked. -Computer server rooms should be locked and accessed by authorized personnel only. -Any paper records should be stored in locked, fireproof cabinets.
Health Insurance Access, Portability, and Renewability
-section of HIPAA was created to provide continuous insurance coverage for people when they change or lose a job. A change in jobs usually results in a change in health insurance. HIPAA prevents health insurance companies from denying or limiting coverage for people who have pre-existing conditions.
HIPAA
As a result, the federal government decided that privacy legislation must be enacted. In the 1970's, Congress began working to reform many aspects of the health care industry. By 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed in the House and Senate and was signed by the President. HIPAA became law, and many rules were set in place to protect patients and their personal health information.
Right to receive an accounting of disclosures of protected health information
Patients may request a record of all the instances in which their personal information was disclosed. Each item in the record must include the date of disclosure, the name of the entity or person to which information was disclosed, a description of the information that was disclosed, and the reason for disclosure.
Disclosure without Authorization
When a patient requests to see his or her own personal information: Patients may have access to their own medical record at any time. When permission to disclose is obtained: If a patient is admitted to the hospital, the patient will be asked if his or her name may be listed in the directory. Then, if any guests request to see the patient by name, the guests can be directed to the correct room. When information is used for treatment, payment, and health care operations: If a patient is referred from one doctor to another doctor, these two doctors may share the patient's health information. When disclosures are obtained incidentally: Incidental information is information that is obtained accidentally, even when privacy precautions are taken. For example, if a doctor discusses a medical condition with a patient behind closed doors and someone outside the door overhears, this is considered incidental. When information is needed for research: Some health data may be released to researchers or for public health purposes. In these cases, identifying information, such as names, social security numbers, and addresses, has been removed from the data. The final situation for when disclosure of protected health information is allowed without authorization occurs when there are legal or public interest issues involved. Some examples of legal or public interest issues include: When information in a medical record must be provided to a court of law. When law enforcement needs medical records to identify a suspect or missing person. When reporting cases of abuse, neglect, or domestic violence. When births and deaths occur. When a patient contracts a serious communicable disease, such as tuberculosis. When information is needed to facilitate organ transplants from deceased donors.
Privileged Communication
information that is shared within a protected relationship. Such relationships include physician and patient, attorney and client, and clergy and counselee. The confidentiality, or privacy, of privileged communication is protected by law. In other words, under most circumstances, privileged communication cannot be disclosed. For example, an employee has taken a lot of sick days. The employer knows the employee's physician and asks the physician why the employee has taken so many sick days. The physician cannot answer the employer's question without the patient's permission.