Privacy Compliance Health Occupations Students

Transcription

1 Privacy Compliance Health Occupations Students

2 Health Occupations Students The information in this power point is the same information provided to new SCHS caregivers at their orientation. We cannot stress enough the importance of complying with the laws governing patient privacy. It is easy to be confused by all the acronyms and terms contained in this power point. If you remember nothing else, remember this- Protecting patient confidentiality isn t just a hospital policy, it s the law. Any violation of patient privacy can END the job shadow program for all students.

3 Privacy Compliance HIPAA Health Occupations Orientation

4 HIPAA Health Insurance Portability & Accountability Act HIPAA ensures that personal medical information patients share with doctors, hospitals, caregivers and others who provide health care is protected.

5 Protected Health Information PHI Protected Health Information Patient Identifiers are protected health information (PHI) and include: Clinical information Payment information Patient name, address and telephone number Social Security number, account numbers, license number, birth date, and address These identifiers apply to information that is oral, recorded, on paper, or electronic.

6 Personal Health Information Snooping Although you may have the ability, you should never access any portion of your own record, your family s, or a friend s medical record. If you would like to look at or get copies of your or a family member s medical record, a signed authorization form can be obtained from the SCHS Health Information Management (HIM) department or the SCHS Lab.

7 Final Rule 2013 A Changing Issue Hospitals and health care organizations have always upheld strict privacy and confidentiality policies. But, changes have occurred. The U.S. Government has strengthened the laws that protect privacy and confidentiality in response to private medical information getting into the wrong hands.

8 Final Rule 2013 The HIPAA Privacy Rule The HIPAA privacy rule became effective April 14, 2003, and established standards for information disclosure including what constitutes a valid authorization. HIPAA applies to covered entities, defined by the rule to include health plans, healthcare clearinghouses, and health providers that transmit specific information electronically. The rule was amended by the final HITECH Omnibus Rule, with a compliance date of September 23, This final rulemaking provides increased protection and control of health information (PHI).

9 Final Rule 2013 Stringent requirements in the event of a breach the inappropriate or unauthorized use or disclosure of patient health information. In some cases, health care organizations must notify patients and the Office For Civil Rights (OCR) when unsecured or unencrypted PHI has been compromised. Individuals must be notified without delay and within 60 days after the breach is discovered or should have been discovered.

10 Final Rule 2013 The consequences of noncompliance Increased civil and criminal penalties that are tied to the level of intent and neglect. Individuals as well as business associates are subject to the same civil and criminal penalties as health care organizations for violations and noncompliance due to willful neglect. Non-compliance due to willful neglect can result in civil penalties up to $325,000 with repeat or uncorrected violations extended up to $1.5 million.

11 Final Rule 2013 In addition, the Oregon State Attorney General can bring civil actions against a person on behalf of patients adversely affected by violations of HIPAA or the HITECH Act. Student violations will result in your immediate expulsion from the program and can result in ending the job shadow program.

12 Final Rule 2013 So, here s the bottom line HIPAA and the HITECH Act protect each patient s right to privacy and confidentiality. Privacy and confidentiality are everyone s responsibility. Multiple state courts have ruled that HIPAA establishes a standard of care to which health care providers and offices need to adhere. Criminal and civil iability for negligence may arise when that standard of care is breached. A court ordered Walgreen s to pay $1.44 million to a customer whose PHI was impermissibly accessed and disclosed by a pharmacy employee. The employee suspected her husband s ex-girlfriend gave him an STD and looked up the ex s medical records to confirm it, then shared it with her husband. He then texted the ex-girlfriend and informed her that he knew about her STD.

13 Final Rule 2013 Reality: Never disclose patient-related sensitive information through social media Initiated by a patient who was always late to her pre-natal appointments, a Missouri doctor posted to her personal Facebook page May I be late to her delivery? A reader took a screen shot of the doctor s comment and posted it to the employing hospital s Facebook page for expectant mothers where many wrote to demand the doctor s termination. The doctor s posts revealed the patient s induction date and that she had previously suffered a still birth, making identification likely. The employing hospital publicly issued a comment decrying the incident. FACEBOOK

14 Case Scenarios So you re job shadowing in the hospital when you hear that a neighbor has just arrived in the emergency room for treatment after a car crash. You hear someone saying that he will be taken to surgery soon. The neighbor s wife works in another part of the hospital.. Should you notify your neighbor s wife that her husband has arrived in the emergency department?

15 Case Scenario NO! The correct course of action is to tell the nursing staff that you know the patient and his wife and offer to help by providing information in the event it s needed. When patients are in the hospital, they have the right to decide who should know they are there. Your neighbor has a right to privacy. Your neighbor may not want to notify his family of his accident. If he is conscious, the emergency department staff will allow him to direct who should be notified of his presence at the hospital. If he is unconscious, the doctors and nurses will use their professional judgment about whether to notify his wife and will decide whether you, as a friend, should be involved in any way. Leaving this direction to the emergency department staff is essential.

16 Case Scenario A friend is concerned because his girlfriend is in the hospital. He asks you to find out anything you can. Should you try to find information for your friend?

17 Case Scenario NO! Again, the answer is no. In fact, you shouldn t even acknowledge that the girlfriend is in the hospital. You should direct your friend to the information desk. He can learn the general condition of a patient by calling and asking (if the patient has agreed that the information may be made available). It is best to remember that you are not to seek out confidential patient information. When confidential patient information is made available to you, you are not to repeat it to anyone. Protecting patient confidentiality isn t just a hospital policy, it s the law.

18 Case Scenario You pass a nurses station where patients names are listed on a white board. You spot the name of a classmate. Should you stop by his/her room?

19 Case Scenario NO! If you learned of your classmate s hospital stay only by looking at the white board, you should not go to his/her room unless your job shadow requires you to go there. Your friend might have allowed his/her name to be listed in the information directory or shared his/her hospitalization with friends or family. If you find out from these methods or his/her family members that they are staying in the hospital, feel free to visit him/her after your job shadow is over. Be sure to follow the hospital s visitor policy.

20 Case Scenario Quick Review Sensitive information exists in many forms printed, spoken, and electronic. Sensitive information includes Social Security numbers, credit card numbers, driver s license numbers, personnel information, computer passwords, and PHI. There are a number of state and federal laws that impose privacy and security requirements. Two primary HIPAA regulations are the Privacy Rule and the Security Rule. When used to identify a patient, combined with health information, HIPAA identifiers create PHI (protected health information). Breaches of information privacy and security may result in both civil and criminal penalties, as well as SCHS sanctions. Caregivers must report such breaches.

21 Reporting Reporting Caregivers are responsible for reporting and responding to information security incidents and information security breaches. SCHS has a contract with EthicsPoint for caregiver to report compliance issues. SCHS has established a specific no retaliation policy to encourage reporting. At EthicsPoint you can report violations or wrong-doing anonymously, if you want. Also, Federal and State laws protect reporters of suspected fraud and abuse from retaliation and retribution.

22 Reporting Event Management System EMS For all compromises, caregivers must log the incident into the Event Management System. Examples include: A lost or stolen laptop or other information security issues. You suspect your password is known by another. You suspect that a caregiver has viewed a patient s information without being a part of his/her job. You suspect inappropriate use of company computer systems, internet access or patient data. You suspect patient information has been faxed to the wrong number.

23 Privacy Compliance To whom can a student report an incident? 1. Your teacher 2. Debbie Cole, Cascades East AHEC Director of Compliance Nicole Hough Compliance Auditor Lisa Wilson Privacy and Information Security Officer Judi Hofman Director-Information Technology Security