HIPAA Training for Scribes

Ace your homework & exams now with Quizwiz!

Privacy Rule

- Guides us on how we handle issues surrounding privacy and confidentiality - The Privacy Rule pertains to all protected health information (PHI) including spoken, written, and electronic information and images.

Security Rule

- Guides us on how we handle issues surrounding safekeeping patient information. - The Security Rule deals specifically with electronic protected health information (EPHI).

Three Categories of Covered Entities

- Health Care Providers - Health Plans - Health Care Clearinghouse

Health Plans

- Health Insurance Companies - HMOs - Company health plans - Government programs tat pay for health care, such as Medicare, Medicaid and military/veterans health care programs

Health Care Providers

- Hospitals - Private Practices - Clinics -Psychologists - Dentists - Chiropractors - Nursing Homes - Pharmacies

The HIPAA Rules Apply to Covered Entities and Business Associates

- Individuals, organizations and agencies that meet the definition of a covered entity under HIPAA must comply with the rules requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information - If a covered entity engages a business associate to help it carry out its health care activities and functions, the business associate must contractually comply with the rules requirement to protect the privacy and security of protect health information

We must protect an individual's personal and health information that...

- Is created, received, or maintained by a health care provider or health plan - Is written, spoken or electronic - And includes at least one of the 18 personal identifiers in association with health information

HIPAA Rules

- Privacy rule - Security Rule - Enforcement Rule

HITECH ACT - Enforcement Rule

- The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was designed to promote the widespread adoption and meaningful use of health information technology - In addition, the Act significantly increases the penalty amounts the U.S. Department of Health & Human Services may impose for violations of the HIPAA rules. - The Act also strengthens the civil and criminal enforcement of the HIPAA rules.

Key HIPAA Requirements for the Workforce of a Covered Entity

- To protect the privacy and security of an individual's protected health information (PHI) - To require the use of "minimal necessary" - To extend the rights of individuals over the use of their protected health information

Finally:

Access to medical records is audited Do not look up any information not required for your job You will be held responsible for any inappropriate access done on your computer User ID Avoid online discussions of patients Do not share passwords Log off your workstation when you are done Use the minimum necessary rule Patients have entrusted their care to us and need the assurance that all information, personal and medical, will be held confidential and not used for personal curiosity or gain

Patient Authorizations are Required for Certain Marketing and Sales of PHI

An individual authorization is required for communications when a covered entity receives financial compensation from a third party in exchange for marketing the third party's product or service Health promotion and the promotion of government-sponsored programs are permitted without authorization Covered entities or business associates are prohibited from receiving direct or indirect compensation in exchange for the disclosure of PHI unless an authorization has been obtained from the individual

Who Uses PHI?

Anyone who works with or may see health, financial or confidential information with HIPAA PHI identifiers. Everyone who uses a computer or electronic device which stores or transmits PHI such as: Direct patient care employees Staff who work in clinical areas Volunteers Students who work with patients Research staff and investigator Accounting/billing staff Administrative staff who have access to PHI Almost everyone at one time or another

When Can You Access and Share PHI?

As part of your job/student/faculty role The information can only be shared with individuals who require it to complete a task At pre- and post-conferences with faculty

How can you protect patient information?

Verbal awareness Written paper/hard copy protection Safe computing skills Follow your clinical facility's policy for disposing of PHI Follow all clinical facility HIPAA policies

Why is protecting privacy and security so important?

We all want our privacy protected It is the right thing to do It is the law There are severe penalties for HIPAA violations

Understand how HIPA/HITECH affect the medical scribe and how scribes are responsible to protect confidential and sensitive information.

When you are at a health care facility for clinical training, you are subject to HIPAA as a member of that facility's workforce. In addition to this training, your training site may require you to complete HIPAA training specific to that site. You can also expect to be required to sign a confidentiality statement indicating understanding of the facility's policy.

Penalties for HIPAA violations

Civil Penalties Based on the nature and extent of the violation, penalties can range from $100 per violation, up to a maximum of $50,000 per violation, with an annual maximum of $1.5 Million. Criminal Penalties Individuals who knowingly obtain or disclose individually identifiable health information in violation of HIPAA face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to ten years. Professional Penalties A facility has the right to permanently deny clinical privileges. Also, one may face disciplinary action from the Board of Examiners. Academic Penalties Consequences could range from reprimand to dismissal from the college.

HIPAA Applies to us all wherever we may be

Clinical site School In an elevator On the bus At home On the phone Online

Understand the requirements of the federal HIPAA/HITECH regulations and privacy laws that protect the privacy and security of confidential data and what information must be protected.

Congress recognized that standardizing the electronic means of paying and collecting claims increased the potential for abuse of individual's medical information; as a result, a key part of HIPAA also increased and standardized confidentiality and protection of health data. HIPAA now provides for a uniform, basic level of security and privacy for personal health information throughout the country.

Examples if HIPAA violations

A jury in Waukesha, Wisconsin found that an emergency medical technician (EMT) invaded the privacy of an overdose patient when she told the patient's co-worker about the overdose. The co-worker then told nurses at West Allis Memorial Hospital. The EMT claimed that she called the patient's co-worker out of concern for the patient. The jury, however, found that regardless of her intentions, the EMT had no right to disclose confidential and sensitive medical information and directed the EMT and her employer to pay $3,000 for the invasion of privacy. (L. Sink, "Jurors Decide Patient Privacy Was Invaded," Milwaukee Journal Sentinel, May 9, 2002).

Social Networking and HIPAA

Despite the impression of privacy that many social networking sites portray, information posted on the world-wide web is not private and can be shared freely. Patient information, photos or comments made regarding the care of patients posted on social networking sites can have legal ramifications. HIPAA regulations apply to comments made on social networking sites, and violators are subject to the same prosecution as with other HIPAA violations. Online discussions of specific patients should be avoided, even if all identifying information is excluded. It is possible that someone could recognize the patient to which you are referring based upon the context. Under no circumstances should photos of patients or photos depicting the body parts of patients be displayed online unless specific written permission to do so has been obtained from the patient.

Written Paper/Hard Copy Protection

Do not leave PHI on printers or faxes Do not save data on personal flash drive or any other electronic storage device Make certain that no written notes or medical records are left where they are visible to others not directly involved in that patient's health care In discussion seminars with faculty or written reports, de-identify any patient information Do not print or copy any patient's records without written authorization from facility

Safe Computing Skills

Do not share passwords Use cryptic passwords that cannot be easily guessed Do not write your password down Log off and restrict access to computer screens If you are an employee of the facility, do not use your employee user ID/password while in your student role Report any security incidents/breaches Accessing patient information electronically or visiting questionable websites, including personal social networking sites, can be tracked back to your user ID

Using or Disclosing PHI

Every health care facility must post on its website and give each patient a hard copy of their Notice of Privacy Practices that describes how the facility may use and disclose the patient's protected health information and advises the patient of his/her rights. The facility must attempt to obtain a patient's signature acknowledging receipt of the notice, except in emergency situations. If a signature is not obtained, a facility must document the reason it was not.

Identify the definition of HIPAA and its primary role in regulating medical records.

HIPAA represents Congress' efforts to prohibit health insurers from limiting coverage for an individual because of a pre-existing health condition and to standardize electronic transfer of health data for billing purposes to reduce health insurance fraud and abuse

Many think HIPAA is about protecting health information, but in reality, HIPAA stands for

Health Insurance Portability and Accountability Act

Restriction on Disclosures

If a patient pays the full cost of his/her medical care for a particular item OR service is paid for by (or on behalf of) an individual out of pocket, the provider must abide by the individual's request to restrict PHI related to such care and not share it with the individual's health plan or insurer.

Incidental Disclosures and HIPAA

Incidental: a use or disclosure that cannot reasonably be prevented is limited in nature and occurs as a by-product of an otherwise permitted use or disclosure Examples: calling out a patient's name in a waiting room, sign-in sheets in hospitals or clinics

Examples of HIPAA Violations

Lake Health in Northern Ohio fired several employees for accessing a patient's information after a routine audit of electronic medical records showed a single patient's health information had been accessed by multiple employees without authorization. (E. Lundbald, Lake Health fires several employees over HIPAA violations," The News-Herald, October 30, 2012). CVS Caremark Corp. agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations when employees threw items such as pill bottles with patient information into the trash. (M.Savage, "CVS pays $2.25 million HIPAA violation settlement," Information Security Magazine, Feburay 2009).

Verbal Awareness

Minimum Necessary Rule - Use the minimum health information necessary to complete the task (Think before you speak: What does this individual need to know to do their job?) Only discuss PHI in private locations Be aware of the volume of your conversations Do not share more than the "minimum necessary" protected patient information with classmates outside of the pre/post clinical conferences. If you do, it falls under a violation of HIPAA.

What Differentiates a Business Associate?

Most health care providers and health plans do not carry out all health care activities and functions by themselves. Instead, they often depend on the services of business associates. Ex. An independent medical transcriptionist that provides transcription services to a clinician

Protected Health Information (PHI) 18 Identifiers defined by HIPAA

Names Postal address/geographical identifiers smaller than a state All elements of dates except year related to an individual Telephone numbers Fax numbers Electronic mail address Social security numbers Medical record numbers Health-plan beneficiary numbers Account numbers Certificate and license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Internet universal resource locators (URLs) Internet protocol (IP) addresses Biometric identifiers, including fingerprints, retinal and voice prints Full-face photographic images and any comparable images Any other unique identifying number, characteristic, or code

Remember, to the Patient, it is ALL Confidential Information

Patient personal information Patient financial information Patient medical information PHI that is written spoken electronic

HIPAA Restricts Sharing/Releasing PHI

Personal information cannot be released to individuals or companies without patient written authorization unless required/permitted by law. Patient Authorization: allows for a facility to disclose information for purposes other than treatment or billing Examples when written authorization is required: Students or faculty may not access their own or a family member's personal health information without written authorization Names of patients on hypertensive medications cannot be released to a company marketing nutritional products to lower blood pressure Names of patients admitted into the hospital cannot be released to the media

Health information with identifiers =

Protected Health Information (PHI)

Health Care Clearinghouse

Public or private entity that processes health information received in a nonstandard format into a standard transaction (i.e., billing service, pricing company, community health information system).

Disposing of PHI

Shred the documents, or properly dispose of PHI according to the facility's policy.

Generic Information

The Genetic Information Nondiscrimination Act of 2008 prohibits discrimination based on an individual's genetic information in both health coverage and employment contexts. In addition, health plans, health insurance issuers (including HMOs) and issuers of Medicare supplemental policies are prohibited from using or disclosing genetic information for underwriting purposes.


Related study sets

ECONOMICS STUDY GUIDE: DEMAND AND SUPPLY

View Set

Adding and Subtracting Polynomials 80%

View Set

Chapter Exam 4 part 2: Life Insurance- Provisions, Options and Riders

View Set

U.S Government Unit 3: Citizens and Their Government

View Set

The Iroquois Creation Myth: “The World on Turtle’s Back”

View Set

n222 exam 3 coursepoint questions

View Set