HIPAA Training: Ensuring Privacy for our Patients

Transcription

1

2 HIPAA Training: Ensuring Privacy for our Patients The purpose of the HIPAA Privacy Rule is to prevent inappropriate use and disclosure of individual health information, most commonly referred to as protected health information (PHI). It is not a one-time implementation project. HIPAA entails ongoing responsibilities that must be incorporated into Health Care Facilities' culture and business processes.

3 The HIPAA Training will Help You Understand: What is HIPAA/The Privacy Law? Who has to follow the HIPAA LAW? When do we start? Why is HIPAA important? What are an entity s responsibilities? Where can you get help with HIPAA? What does this mean for you?

4 What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act a federal law that: Protects the privacy of a patient s personal and health information Provides for electronic and physical security of personal and health information Simplifies billing and other transaction Who has to follow the HIPAA Law? EVERYONE

5 Q? What Health Information Is Protected by the Privacy Rule? A: With certain exceptions, the Privacy Rule protects a subset of individually identifiable health information, known as protected health information or PHI, that is held or maintained by covered entities or their business associates acting for the covered entity. The Privacy Rule does not protect individually identifiable health information that is held or maintained by entities other than covered entities or business associates that create, use, or receive such information on behalf of the covered entity.

6 Who is Covered by the Privacy Rule? Health Plans. Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations ( HMOs ), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health Care Providers. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. Health Care Clearinghouses. Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate.

7 A Covered Entity is one of the following: A Health Care Provider This includes providers such as: Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. A Health Plan This includes: Health insurance companies HMOs Company health plans Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs A Health Care Clearinghouse This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

8 Q? Does the Privacy Rule permit a covered entity to use or disclose protected health information pursuant to an Authorization form that was prepared by a third party? A:Yes, A covered entity is permitted to use or disclose protected health information pursuant to any Authorization that meets the Privacy Rule s requirements at 45 CFR The Privacy Rule requires that an Authorization contain certain core elements and statements, but does not specify who may draft an Authorization (i.e., it could be drafted by any entity) or dictate any particular format for an Authorization. Thus, a covered entity may disclose protected health information as specified in a valid Authorization that has been created by another covered entity or a third party, such as an insurance company or researcher.

9 The training focus is on learning what responsibilities you have in order to ensure compliances with HIPAA Privacy and HIPAA Security Regulations. HIPAA PRIVACY Protected Health Information Minimum Necessary Patient Rights Notice of Privacy Practices Privacy Policies Privacy Officer Reporting Privacy Concerns HIPAA SECURITY Electronic Protected Health Information User Identity Password Management Appropriate Use of Computing Devices Security Policies Security Officer Reporting Security Concerns

10 When do we start? NOW!

11

12 Privacy what is it? Our right to keep information about ourselves from others if we choose. We expect that Healthcare providers and workers will protect the privacy of the information they learn about us. But Sometimes our privacy is violated, even by those we most trust to protect it!

13 For example The Situation: One of the Country singer s medical records were sold to the National Enquirer and Star tabloids by a hospital employee for $2,610. The Result: The public s trust in the hospital was damaged, and a valued patient s reputation was compromised.

14 An Overview of the Law HIPAA Health Insurance and Portability Act of 1996 Title I Portability Title II Administrative Simplification Title III Medical Savings Accounts Title IV Group Health Plan Provisions Title V Revenue Offset Provision PRIVACY EDI SECURITY Use and Disclosure of PHI Transactions Administrative Procedures Indivdual Rights Code Sets Physical Safeguards Administrative Requirements Identifiers Technical Security Services Technical Security Mechanisms

15 The Privacy Law Protects patients privacy Supports our value of respecting patients interests. Restores the public s faith in each of us as healthcare professionals, and in ACHN.

16 The Privacy Law Protects all health information created by a ACHN s healthcare provider. Defines who is allowed to see or use a patient s private health information

17 The Privacy Law Protects the information whether it is: Oral Written Electronic

18 Why is Patient Privacy important? Safeguards protected identifiable patient health information Provides patients with more control over what happens with their information Continues

19 Why is it Important?, continued Provides patients with informed choices about how their information is used Balances our need to use information to treat patients, with the patient s desire/need for privacy

20 What Does the Law Include? Protected Health Information (PHI) Protects information known as PROTECTED HEALTH INFORMATION (PHI) that exists in written, oral, and electronic formats.

21 Definition of Protected Health Information Any information created or received by a health care provider, health plan, public health authority, employer, life insurer Relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual.

22 Protected Health Information Includes, But is Not Limited to: Medical Records Billing information (bills, receipts, etc.) Labels on IV bags Telephone notes (in certain situations) Test results Patient information on a palm device X-rays Clinic lists Example

23 Name Birth Date Fax Number Account Number Street Address Admission Date Electronic mail address Certificate/License Number License Plate Number City Discharge Date Social Security Number Protected Health Information Examples of PHI Vehicle and Serial Number Device Identifier and Serial Number Precinct Date of Death Medical Record Number Internet Protocol Number Full Face Photographic Images Zip Code Telephone Number Health Plan Beneficiary Number Biometrics Identifiers (i.e. finger prints) Any Other Unique Identifying Number, Characteristic, or Code

24 Q? What Patient Information Must We Protect? A: We must protect an individual s personal and health information that is: Created, kept, filed, used or shared Written, spoken, or electronic HIPAA says that this information is Protected Health Information (PHI) Examples of PHI (Protected Health Information) A person s name, address, birth date, age, phone and fax numbers, address

25 Medical records, diagnosis, xrays, photos, prescriptions, lab work and test results Billing records, claim data, referral authorizations, explanation of benefits Research records The ACHN May Create, Use and Share a Person s PHI for Treatment of the patient, including appointment reminders Payment of health care bills And for Certain Other Activities, including: Medical Staff activities Business and management operations Disclosures required by law Public Health and other governmental reporting For many other uses and disclosures of PHI, ACHN must get a signed authorization from the patient, (e.g., to disclose PHI to the media

26 What Are the Responsibilities of the ACHN? Provide patients with a notice of privacy practices. Protect the information from use or disclosure to those not allowed to see it by law or by the patient. Investigate complaints of breaches of confidentiality. Discipline breaches of confidentiality.

27 The Notice of Privacy Practices Describes the rights the person has to protect their information. Describes the duties we have to the patient to protect their information. Informs the patient about the complaint and investigation process. Must be given to a patient before the first treatment encounter and written acknowledgment obtained.

28 What are the Patient s Rights? To have their information protected To be provided with a notice of our privacy practices To have their questions answered To see their information if they wish (restrictions apply) To obtain copies of their records (for a fee) To request to change their records To limit (under specific circumstances) the use/disclosure of their information

29 Q? Does the HIPAA Privacy Rule require my doctor to send my medical records to the government? A: No. The Rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This Rule does not require or allow any new government access to medical information, with one exception: the Rule does give the Department of Health and Human Services Office for Civil Rights (OCR) the authority to investigate complaints that Privacy Rule protections or rights have been violated, and otherwise to ensure that covered entities comply with the Rule. For enforcement purposes, OCR may need to look at how a covered entity handled medical records and other personal health information, as is typical in many enforcement settings. This investigative authority is needed so that the Rule can be enforced, and to ensure the independent review of consumers concerns over privacy violations. Even so, the Privacy Rule limits disclosures to OCR to information that is pertinent to ascertaining compliance. OCR will maintain stringent controls to safeguard any individually identifiable health information that it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the Rule.

30 What Must I Do to Ensure Patient Privacy? Be aware of who is around you when you are discussing patient information Dispose of information appropriately Use cover sheets for faxing Share information only with those who are allowed to have it When in doubt, ask for help

31 What Does This Mean for You? Be careful with information to which you have access. Ask yourself: Am I allowed to have this information? Is it required for me to do my job? Is the person with whom I am about to share this information allowed to receive it? Do they need the information to do their job? If I were the patient, and this were my information, how would I feel about it being shared?

32 Health Information Technology Health information technology (health IT) involves the exchange of health information in an electronic environment. Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of electronic health information be ensured as this information is maintained and transmitted electronically

33 You Should be Aware of Patient Privacy in Ensuring computer security Sending/receiving faxes Disposing of information Using/disclosing information Conducting everyday-work practices Each of these aspects of Patient Privacy are discussed in detail in the next few slides.

34 Ensuring Computer Security Never share passwords. Lock workstation/log off when leaving a workstation. Position workstation so screen does not face a public area if possible. Be careful when sending containing patient-identifiable information. Avoid it if possible. Refer to your ACHN s guidelines. Continues

35 Sending/Receiving Faxes Fax is the least controllable type of communication When faxing information: Use a cover sheet!! Verify you have the correct fax number, and The receiving fax machine is in a secure location, and/or the receiver is available immediately to receive the fax Continues

36 Sending/Receiving Faxes continued When receiving faxed patient information Immediately remove the fax transmission from the fax machine, and deliver it to the recipient. If information has been sent in error, immediately inform the sender, and destroy the faxed information (deposit in shredding bin, or other method).

37 Disposing of Information Do not place identifiable health information in regular trash! Rip, shred, or otherwise dispose of identifiable health information Check on ACHN policy/procedure on the correct method for disposal of protected health information.

38 Q? What is "protected health information" (PHI) and "electronic protected health information" (ephi) under HIPAA? A: Under the HIPAA Privacy Rule, protected health information (PHI) refers to individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person. Specifically, this information can relate to: The individual's past, present or future physical or mental health or condition, The provision of health care to the individual, or, The past, present, or future payment for the provision of health care to the individual. Common identifiers of health information include names, social security numbers, addresses, and birth dates. The HIPAA Security Rule applies to individual identifiable health information in electronic form or electronic protected health information (ephi). It is intended to protect the confidentiality, integrity, and availability of ephi when it is stored, maintained, or transmitted.

39 Using and Disclosing Information The next few slides describe ways of using and disclosing information, including Authorizations TPH /TPO (explained in next slide) Incidental Use or Disclosure Authentication

40 Using and Disclosing Information You may use/disclose patient information without specific authorization from the patient for Treating a patient (Treatment) Getting paid for treating a patient (Payment) Other healthcare operations (Operations) Collectively known as TPO or TPH Continues

41 Authentication To the degree practicable you must ensure that the person to whom you give the information is the person allowed to receive it. In other words, be certain to ask for identification! Continues

42 About Authorizations What is an Authorization? Permission from the patient to release information Must be obtained where Protected Health Information is used for other than TPH (except psychotherapy) Is time limited May be revoked by the patient What is Needed for an Authorization? State to whom information will go State for what purpose the information will be used State what information will be sent

43 Q? When is an authorization required from the patient before a provider or health plan engages in marketing to that individual? A: The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: When the communication occurs in a face-to-face encounter between the covered entity and the individual; or The communication involves a promotional gift of nominal value. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

44 There are Times when Information May be Disclosed Without Authorization If Required by Law Court Order Subpoena Public-Health Reporting Incidental Disclosures Overhearing a patient s conversation with their doctor or nurse in a semi-private room These are discussed in more detail on the following slides

45 Disclosures Required by Law If the release complies with and is limited to what the law requires, you may give information to (see Authentication below) Public health authorities Health oversight agencies Employers responsible for workplace surveillance Must post notice of privacy practices Medical Examiners, and Funeral Directors Organ procurement organizations

46 Minimum Necessary The Privacy Law generally requires that we all take reasonable steps to limit the use or disclosure of, and requests for Protected Health Information (PHI) to the minimum amount of information necessary to accomplish the intended purpose. The next slide provides details on instances where minimum necessary does not apply.

47 Minimum Necessary Does not apply to: Disclosures to a health care provider for treatment purposes or made at the direction of an authorization by the patient. Disclosures to the patient themselves. Uses/disclosures required for compliance with standardized HIPAA transactions. Disclosures to DHHS required under the rule for enforcement. Uses/disclosures required by other law.

48 Accounting for Disclosures Upon request, covered entities must provide patients with a list of those to whom they have disclosed the patient s information except for Instances when the information is disclosed to the individuals themselves. When it was used/disclosed for TPO, or Under a specific authorization

49 How to Account for Disclosures Unless limited by the request, the accounting must cover the full six years prior to the request, but not earlier than April 14, 2003, and must include To whom information was disclosed When it was disclosed What was disclosed Why it was disclosed

50 Conducting Your Everyday-Work Practices Think about how and when you disclose patient identifiable data. Look for opportunities to reduce unnecessary uses and/or disclosures. What data do you create? What data do you send to others outside where you are working? For what purpose? What data do you receive from others? For what purpose? Continues

51 Conducting Your Everyday-Work Practices For Communicating information. Recording and keeping information. Transporting and disposing information. Watch where you talk about patients. Be careful with whom you speak Are they allowed to receive the information? Why? Talking at a party about a patient you have seen just because it is interesting should not be done. Remember is not always safe. Think twice before sharing information about patients.

52 Who is Responsible? We are all responsible! Anyone who cares for patients, is responsible for using identifiable information in order to perform their jobs Anyone who works that involve patient identifiable information

53 How to Get Help or Report a Privacy Concern or Breach Contact Your ACHN management The ACHN privacy officer Consult the appropriate ACHN policy.

54 Organizational and Administrative Requirements A Privacy Officer must be appointed to implement and develop privacy policies and procedures for the agency. ACHN must train all employees on privacy policies and procedures. Must amend all business associate to establish the permitted and required uses and disclosures of PHI. Must verify the identity and authority of person requesting PHI.

55 Guidelines for Recording and Keeping / Disposing of information You are responsible for protecting the information. Password protect files Encrypt when possible Dispose of information correctly Rip, shred, or otherwise destroy those 3x5 cards or notes about patients. Do not leave records and x-rays lying around conference rooms, lounges, etc.! If you find PHI lying around return it or destroy it.

56 Summery of HIPAA Privacy ACT

57 The Privacy Rule The HIPAA Privacy Rule establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

58 Who has to follow HIPAA? Everyone!

59 Why is HIPAA important? Protecting privacy is important! We all want our PHI to be private Our clients want their PHI to be private It s the right thing to do It s the law

60 What are the Penalties for Not Complying Failure to Comply (usually institutional) $100 per violation $25,000 maximum for all violations of a single requirement Wrongful Disclosure (individuals or institutions) $50,000 and/or imprisonment up to 1 year $100,000 and/or imprisonment up to 5 years, if under false pretenses $250,000 and/or imprisonment up to 10 years, if intent to sell information

61 How is Law Enforcement Affected? Protected Health Information may be released to law enforcement for the following purposes only: Responses to legal proceedings Information requests for identification and location Circumstances pertaining to victims of a crime Deaths suspected from criminal conduct Medical emergencies Again, release of information must be tracked carefully with documentation

62 HIPAA Requires the ACHN to: Give each patient a Notice of Privacy Practices that describes: How the ACHN can use and share his or her protected health information (PHI) A patient s privacy rights Asks every patient to sign a written acknowledgment that he/she received the Notice of Privacy Practices The Notice Explains What ACHN Can Do With PHI. You can contact Privacy Officer to ask questions or get a copy of the Notice

63 What can happen if we don t follow HIPAA? Someone who does not protect a person s personal and/or health care privacy could: Lose his/her job Pay fines Go to jail

64 Fines? Fines range from $50,000 to $250,000 per incident Penalties for Not Complying

65 Jail? Jail terms can be up to 10 years per incident Penalties for Not Complying

66 When do we have to protect PHI? NOW!

67 ACHN Board may create, use and share a person s PHI for: Treatment Billing and Payment Agency Business Management and Operations Disclosures Required by Law Public Health and Other Governmental Reporting

68 Minimum Necessary Scenarios Example, Myth / Facts & Qs

69 Example # 1 A patient that I cared for in the ICU was transferred to a medical unit. May I look in the patient s record to see how she is doing? May I call the unit and talk to the nurse who is now caring for her? As much as this may reflect your compassion and concern for patients whom you have taken care of in the past, you may not inquire into her status unless there is a job-related reason. For example, if you have to complete a note in her record after she has left your unit, you may access her record to complete your note. Minimum Necessary

70 Example #2: I happened to be using the copier in the office when a fax arrived. I did not read any of the details but recognized the client name on the incident report. I did not do anything with the information and kept it to myself. Did I do the right thing?

71 Myth One provider cannot send medical records of a patient to another provider without that patient s consent Fact: No consent is necessary for one provider to transfer a patients' office for treatment purpose. The privacy Regulation specifically states that a provider is permitted to use or disclose protected health information for treatment, payment, or health care operation, without patient consent.

72 Q? Can health care information be shared in a severe disaster? A: Providers and health plans covered by the HIPAA Privacy Rule can share patient information in all of the following ways: TREATMENT: Health care providers can share patient information as necessary to provide treatment. NOTIFICATION: Health care providers can share patient information as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the individual's care of the individual's location, general condition, or death. IMMINENT DANGER: Providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public -- consistent with applicable law and the provider's standards of ethical conduct. FACILITY DIRECTORY: Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition. Q? Is the HIPAA Privacy Rule suspended during a national or public health emergency? Answer: No; however, the Secretary of HHS may waive certain provisions of the Rule under the Project Bioshield Act of 2004 (PL )

73 Any?