CHAM Arrival - Patient and Family Experience

Accountability Act of 1996. Also known as

"HIPAA." Under HIPAA law, the patient has the right to control who will see or obtain their protected, identifiable health information. Protecting and keeping this information private is one of the most important functions of Patient Access Services.

As many as nine million Americans have their identities stolen each year. Medical identity theft may leave a patient without benefits or face potentially life-threatening consequences due to inaccuracies in their medical records. Healthcare providers can be left with unpaid medical bills. There isn't a standard checklist of all red flag signals, but here are a few warning signs:

•Suspicious or inconsistent documents or identifying information. •Altered or forged ID. •Pictures inconsistent with what the patient looks like •Documents with inconsistent information that doesn't correspond with what they told you such as a different Date of Birth •Information doesn't match previous information on file •Patient complains about receiving bills for services they have never received

Because of the possible penalties involved with HIPAA breaches, it is important that Patient Access leadership provide continual education stressing the importance of our role in our patients' Confidentiality and promote the confidence of our staff and hospital to

protect it.

According to the Department of Health and Human Services, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules were established to

protect the privacy and security of health information and provide individuals with certain rights to their health information. Among other provisions, the Privacy Rule sets standards for when protected health information (PHI) may be used and disclosed, while the Security Rule requires safeguards to ensure that only those who should have access to electronic protected health information (ePHI) will be given access. The Breach Notification Rule requires HIPAA covered entities to notify the Department of Health & Human Services (HHS), affected individuals, and in some cases the media (and business associates to notify covered entities) of breaches of unsecured PHI. Another HIPAA rule administered by CMS is the Administrative and Simplification Rules. This rule includes: Transaction and Code Set Standards, Employer Identifier Standard and the National Provider Identifier Standard.

Physicians, health care providers and other health care professionals are using smartphones, laptops and tablets for business purposes. Mobile devices carry privacy and security risks and organizations need to put

safeguards in place to help mitigate these risks.

When discussing mobile device security best practices, we are primarily concerned with the Security Rule provisions.. The Security Rule addresses the technical and non-technical safeguards that organizations must put in place to secure individuals' ePHI outlined in the Privacy Rule. The Security Rule established a national set of security standards for protecting ePHI specifically how it is

stored, maintained or transmitted.

HIPAA violations may also result in the

termination of employees involved in a breach. Criminal penalties for wrongful disclosure can also result in jail time. The criminal penalties increase as the severity of the offense increases. Intentionally selling patient information is significantly more serious than

All communications with patients or about patients involving their personal health information must be protected, private and limited to people who have been authorized or whose job requires

the use of the information.

What are ways in which the Patient Access professional ensures compliance?

•Always used encrypted devices •Never copy a credit card •Never write down credit card information •Never scan a credit card into your imaging system •Remove receipts promptly from the printer •Never email a receipt with data information

Patient Access should always protect card holder data. This includes any personally identifiable data associated with a cardholder, such as:

•Cardholder name • Cardholder address •Credit card number Debit card number •Debit card PIN •Tracking data (back) •Expiration date •Authorization code

Organizations must develop a program that includes four basic elements:

•Reasonable policies and procedures to identify the red flags, suspicious patterns or practices of identity theft that may occur in day-to-day operations. •A program must detail the appropriate actions the organization will take when red flags are detected. • A program must detail how the organization will keep its policies current to mitigate new threats.

The U.S. Department of Health and Human Services has gathered these tips and information to help you protect and secure health information patients entrust to you when using mobile devices.

•Use passwords or other user authentication •Install and enable encryption •Install and enable a firewall •Do not use file sharing applications •Keep security software up to date •Maintain physical control - referencing stolen or lost mobile devices •Use only Secure Wi-Fi networks •Delete all stored health information

A breach is generally an impermissible use or disclosure under the Privacy rules that compromises the security or privacy of a patients PHI. A breach can be a unintentional disclosure, an inadvertent disclosure or an intentional disclosure. There are federal regulations regarding the notification and disclosure of a breach. HHS Office for Civil Rights is responsible for enforcing the Privacy and Security rules. Healthcare organizations usually align HIPAA compliance with the organizations

Compliance Officer or Privacy Officer.

The Minimum Necessary Standard is a requirement under the

HIPAA Privacy Rule. It requires that covered entities take reasonable steps to limit the use or disclosure of PHI. People should only access, use or disclose the health information that is minimally necessary to accomplish a given task or purpose. An employee's access should be limited to the minimum necessary access to accomplish their particular job function.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards including Visa, MasterCard, American Express, Discover. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. It's a serious problem - more than 510 million records with sensitive information have been breached since

January 2005, according to PrivacyRights.org.

Patient Access Services plays a critical role in protecting our patients' private information. We are privy to patients confidential PHI with every patient encounter. Such as: the patients name, address, age, social security number, medical record, encounter number, insurance and any other personal information as well as the reason the person is in the hospital, treatment plans, medications or any observation about their current or past health condition. The patient has the right to control who will see or obtain their protected, identifiable health information. Protecting and keeping this information private is one of the most important functions of

Patient Access Services

According to the Centers for Disease Control and Prevention, here are some of the ways in which Patient Access professionals can protect our patient's privacy:

**Any situation: •Confirm the patient's identity at the first encounter •Never discuss the patient's case with anyone without the patient's permission (including family and friends during off-duty hours) •Never leave hard copies of forms or records where unauthorized persons may access them •Use only secure routes to send patient information (for example, official mail) and always mark this information confidential •When using an interpreter, ensure that the interpreter understands the importance of patient confidentiality **When in an office, clinic, or institution: •Conduct patient interviews in private rooms or areas •Never discuss cases or use patients' names in a public area •If a staff member or health care worker requests patient information, establish his or her authority to do so before disclosing anything • Keep records that contain patient names and other identifying information in closed, locked files •Restrict access to electronic databases to designated staff •Carefully protect computer passwords or keys; never give them to unauthorized persons • Carefully safeguard computer screens •Keep computers in a locked or restricted area; physically or electronically lock the hard disk •Keep printouts of electronic information in a restricted or locked area; printouts that are no longer needed should be destroyed **When in the field: •Be discreet when registering your patient •Conduct patient interviews in private; never discuss the case in a public place •Don't leave sensitive or confidential information in messages for the patient on a door; but if a message must be left on the door, it should be left in a sealed envelope, marked confidential, and addressed to a specific person •Don't leave sensitive or confidential information on an answering machine that other people can access •Don't leave sensitive or confidential information with a neighbor or friend, and be careful not to disclose the patient's condition when gathering information on his or her whereabouts

HIPAA violations may result in

Civil penalties for the organization. These are fines up to $100 for each violation of the law per person, up to a limit of $25,000. For example, if 100 patient records were released illegally, a healthcare institution could be fined $10,000.

Examples of HIPAA breaches within Patient Access

Scenario 1: Registrar Mary sees her neighbor in the radiology waiting room and is curious as to why she is here. Since she has access to the hospital's ADT system, she looks up her neighbor's information. -Using your access to look up a patients' medical record out of curiosity is a HIPAA violation. A patients PHI should only be accessed by people who has been authorized or whose job requires the use of the information. Scenario 2: Registrar Bill is working in the Emergency Department. A friend, Steve, is brought in who was involved in an auto accident. Bill calls their mutual friend John to inform him of Steve's accident - In general, PHI disclosure without authorization is only allowed for treatment, payment and healthcare operations. Calling a mutual friend without the patients' permission just to inform them about their friend would be considered a HIPAA violation Scenario 3: Registrar Maria was nearing the end of her shift. She still had several patient documents (consent forms and insurance card copies) that she needs to scan into the document imaging system. Unable to complete them today, she places them in an unsecured file box to complete tomorrow. -Her registration area is not locked leaving these documents vulnerable. This is a HIPAA violation Scenario 4: Registrar Jeff registers a patient who had been to their hospital previously for an outpatient procedure. He made the mistake of not verifying key information and chose the wrong patient from the MPI. The mistake went undetected -Registering the wrong patient is a HIPAA violation because another patients information was sent to the physician and insurance company. Scenario 5: Registrar Chris's father is ill and recently had some tests performed. Curious about the results, Chris looks up his father's medical records and read the results. -Looking up a family member's medical record out of curiosity is a HIPAA violation unless the hospital has a document signed by Chris's father stating it is OK for Chris to have access to his records. If Chris was performing his role as a registrar and needed to access his father's medical records to complete his account, that would not be a HIPAA violation.

Patient Access professionals may come in contact with patients where the patients' identity may be in question. Each healthcare organization should have a Red Flag Rules policy in place. Patient Access leadership is responsible for the education of their department on identity theft. For safety reasons, it is important to follow the organizations protocol. These policies are most often maintained by the organizations

Security or Privacy Officer

Failure to meet these standards can result in

fines or termination of credit card processing privileges.

The Red Flag Rules were put in to place by the Federal Trade Commission. These rules requires businesses to watch for and respond to "red flags" of

identity theft