HIPAA
A patient is registered as a "NO INFO" patient. What does that really mean?
"No Information/Confidential" refers to the need to restrict knowledge of the patient's presence in the hospital to only appropriate medical and hospital staff. Inquiries about such patients should be answered with statements such as, "I am sorry, I have no information for you on such a patient".
You refer to an entity privacy officer. What is a privacy officer?
A privacy officer is a Texas Health employee who is responsible for managing the privacy program at their hospital or entity. They make sure everyone is trained, answer questions, and monitor the compliance of the entity with the privacy policies
How do I Report a Breach?
Anyone may report a potential information breach. If you think an information breach has occurred, report the incident to your supervisor or entity privacy officer. It can be done verbally or by filling out the online form. The online form may be accessed by clicking the "Report a Privacy Incident" link on the HIPAA Privacy page. If you want to remain anonymous, call the Texas Health System Compliance Hotline (1-800- 381-4728) or follow the directions for the online form. A paper form for reporting incidents is also available on the Privacy Forms page on the HIPAA Privacy Web site.
What happens if there is Failure to Comply
Breaking federal or state privacy rules can mean either a civil or a criminal sanction. Under HIPAA, civil penalties are fines assessed for each breach of a requirement, per person. Have you ever looked up a coworker's medical record to learn his or her birthday? Or read a neighbor's medical history because you are curious? Under HIPAA, Texas Health could pay a fine for violating privacy. Criminal penalties for "wrongful" release can also include jail times - criminal penalties increase as the gravity of the offense increases.
Is it safe to send PHI in an E-mail?
E-mails sent within our Texas Health email system between employees are safe. If PHI needs to be e-mailed outside of our network using an Internet e-mail address, it must be encrypted so no one can access it while it is in transit. You do this by typing the word SECURE in the subject line.
Plans or insurers
Examples include Cigna, United Health Care, Blue Cross/Blue Shield, and Aetna.
Is it OK to fax Protected Health Information (PHI)?
Faxing is allowed, but be careful to protect the privacy of the information. Examples of safety measures include using cover sheets, keeping fax machines out of public areas, and confirming the fax numbers.
What should be done when a patient has a complaint about their privacy?
Forward patient complaints to the person in your hospital who has been appointed to deal with privacy complaints. In many cases this is the entity privacy officer. You may use the same Information Privacy Report form that is available for reporting breaches. We also inform patients in our Notice of Privacy Practices that they may report privacy complaints to the Department of Health and Human Services.
How do I Take the Privacy Training?
HIPAA requires workforce members to be trained on our privacy policies. All Texas Health employees must complete training within 30-days from the date of hire. Texas Health privacy training is available online through MyTalent. You may request paper options from your entity privacy officer. Spanish versions are also available in paper format. Training for volunteers is in paper format. Online privacy training is: Offered 24 hours a day—Designed to fit your work schedule; Modular —Focused on a single topic, so the training is results- oriented; Relevant—Tailored to your job, featuring real-world scenarios; Here is how to access the online training: 1. Access MyTexasHealth (intranet) 2. From Quick Links, click on MyTalent 3. Follow the directions on the landing page 4. On the logon page, enter your Texas Health network User ID and password. 5. Both your User ID and password are case sensitive.
What is an Information Breach?
Information breaches can result in the abuse of an individual's privacy. An information breach occurs when Protected Health Information (PHI) is: accessed by people who do not have permission. discussed without a valid business purpose. shared with those who don't have a need to know. An information breach may occur on purpose or it may happen by accident. Examples include faxing PHI to the wrong person, using someone else's computer password to access PHI, or reading the medical record of a patient without a valid need to know.
What about Texas Privacy Laws?
Many states, including Texas, passed their own versions of HIPAA. This could have caused a problem - what if state and federal law said two different things? HIPAA solved the problem by stating that when state and federal versions differ, the more restrictive version applies. Our privacy policies reflect the more restrictive law. They also reflect other state and federal laws that deal with information sharing and privacy.
Does the patient need to give us permission to share their PHI with another facility to which they are being transferred?
No, this release of information is for treatment purposes and does not require a patient authorization.
Can I use my Epic User ID to look at my own health information?
No. Your Epic User ID can only be used to perform your job-related functions. You can access your health information by going to the Health Information Services department. Review the Patient Access to Health Information policy for additional information.
What are the Effects of a Breach?
Once a possible information breach is reported, your entity privacy officer will promptly look into it. If it's found that a workforce member's action resulted in an information breach, that person will be sanctioned. Sanctions are corrective actions that are based upon: how severe the information breach is (carelessness, curiosity or concern, personal gain or malice); impact of the information breach; and other factors such as repeated offenses and patterns of abuse. Texas Health action will follow the Texas Health Corrective Action policy, up to and including termination.
Confidential information includes
Patient Information and Internal Business Information
I may accidentally overhear a private conversation. Have I gone against the privacy rule?
Privacy laws are based on the understanding that hospital employees need to talk to each other and to their patients. It is not possible to completely prevent conversations from being overheard. The important thing is to minimize this and take reasonable steps. Texas Health privacy policies reflect this intent.
PHI
Protected Health Information is health information in any form that can identify an individual.
HIPAA protects PHI. PHI stands for
Protected Health information
HIPAA impacts three types of organizations and people, known as covered entities:
Providers, Plans or insurers, Clearinghouses.
providers
Texas Health is a health care provider. Providers range from large hospital systems to nursing homes, labs, and pharmacies. Health care providers are also doctors, nurses, dentists, and others who care for patients.
How can we keep discussions private when patients are in a semi- private room or in areas such as Emergency Departments and recovery rooms?
The HIPAA Privacy Rule and Texas Health privacy policies recognize the sometimes-open nature of our hospital setting. We need to take any sensible steps that we can in the design of our facilities to minimize the amount of health information that can be released by accident. When all else fails, keep your voice down, use consultation areas when possible, and ask that people leave the room during discussions when called for. This will help decrease accidental release of information.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that covers three areas: Insurance portability - making sure that people who move from one health plan to another will maintain coverage and will not be denied coverage under pre-existing condition clauses. Fraud enforcement (accountability) - increases the federal government's fraud enforcement authority in many different areas. Administrative simplification (reduction in health care costs) - provide standards for electronic exchange of health information, and privacy and security of health information.
When can I share health information with a patient's family or friends?
The patient should indicate if sharing information with someone is allowed. This typically would be recorded on their Authorization for Verbal Release Health Care Information. Of course there will be emergency situations when professional judgement should be used.
Won't these privacy rules and policies make it hard to share the information needed to take care of patients?
The privacy rule and Texas Health policies make it clear that sharing information needed to treat a patient should not be restricted. It is up to each covered entity to develop the policies needed for providers and employees to access needed information. At the same time, we need to prevent needless sharing or use of patient information. It is a balancing act, and patient care is always the number one priority.
Clearinghouses
These are systems that process information for other companies, such as billing services.
What information about patients may volunteers give when called or asked?
Volunteers may give out patient location (room number, phone number) and general condition if available. Check with your supervisor regarding any other patient information.
Can a phone message be left for a patient to remind them about an upcoming appointment?
Yes, a message may be left but you should limit the amount of information in the message and do not share any health information.
If a patient is currently in the hospital and asks to see their medical record, may clinical staff give them this access?
Yes, patients may request access to their medical record while in the hospital. You should tell them that the record will not be complete until after discharge. You should also have them sign an Acknowledgement that they have reviewed or received an incomplete record.
I hear Emergency Department nurses calling out first and last names for patients in the waiting room. Is this OK?
Yes. We suggest using only last name if possible. While that might work in a doctor's waiting room, it may not work in the Emergency Department.
Payment
actions taken by a health care provider to get paid for health care services.
Confidential information
any written, verbal, or electronic information that is to be kept secret and not shared without permission.
What does Confidential information come in?
comes in many forms, such as patient ID bands, paycheck stubs, electronic patient records, and X-rays and other films.
Designated Record Set
group of records maintained by a facility that is used to make decisions about a patient. It includes billing records, medical records, retail pharmacy records and source data such as radiology films and EKG's that can be linked back to a patient.
Patient Information
health, demographic, and financial information that can be tied back to a patient.
Who does HIPAA protect the rights of
individuals not just patients a individual is a subject of health information. This can include patients and health plan members and their covered dependents. Also includes legally authorized representatives.
Confidential information
is any written, spoken, or electronic information that is to be kept secret and not shared without permission.
Need to Know
is the idea that you only have access to information you need to do your job.
Business Associate
outside third party that accesses, uses, or releases PHI while providing services on our behalf.
Covered entity
providers, plans and clearinghouses that are subject to the terms of HIPAA.
Internal Business Information
sensitive information about our employees and business affairs, such as employee personnel files, password information, physician credentialing information, and quality and risk management information
Health care operations
the administrative actions and functions of a covered entity. Examples include: quality assessment and improvement; evaluations of provider performance; business planning and development; medical review, legal services, and auditing functions; business management activities.
Minimum necessary
the essential (least) amount of PHI needed to support or achieve the planned purpose.
Disclosure
the release of PHI outside the facility holding the information.
Individual
the subject of health information. This can include patients and health plan members and their covered dependents.
Access
to inspect and/or obtain a copy of Protected Health Information (PHI) in a designated record set.
Workforce members include
volunteers, people under the direct control of a covered entity, and people in a covered entity's training programs.