Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Transcription

1 Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development

2 To understand the requirements of the federal Health Information Portability & Accountability Act (HIPAA), including HITECH regulations and state privacy laws that protect the privacy and security of confidential patient data To understand how these laws affect you in your residency/fellowship position To understand your responsibilities for good computer practice

3 Protect the privacy of patient information Secure patient health information electronically and physically Comply with the minimum necessary standard for use and disclosure of patient health information Provide specific patients rights for access, use and disclosure of health information

4 Privacy breach notifications requirements Reported to federal government Reported to affected patient Fines and penalty increases for privacy violations Health care entities Potentially to the person who committed the infraction Patient right to request electronic copies of his/her health care record Patient right to restrict disclosure Mandates that business associates are directly liable for noncompliance of HIPAA regulations

5 Privacy applies to ALL verbal, written, & electronic information These laws apply to YOU and anyone else who works with or may view health, financial or confidential information with HIPAA protected persons

6 facebook HIPAA is related to everyone who uses a computer or other electronic device to store or transmit PHI. These devices need to have the PHI encrypted and be HIPAA secure. Data stored on any portable device must be encrypted You are accountable for any and all activity conducted under your User ID

7 HIPAA Criminal Penalties $50,000 - $250,000 fines Imprisonment up to 10 years HIPAA Civil Penalties $100 - $1,500,000/year fines GRMEP Disciplinary Actions Up to and including corrective action, loss of privileges, suspension and termination

8 Name Postal address All elements of dates except year Telephone number Fax number address URL address IP address Social Security number Account numbers License numbers Medical record number Health plan beneficiary number Device identifiers & serial numbers Vehicle identifiers & serial numbers Biometric identifiers (finger prints) Photos in which the person can be identified Any other unique identifying numbers, codes or characteristics, or identifiable images

9 Each health care entity must give each patient a Notice of Privacy Practice that describes how PHI may be used and disclosed The health care entity must obtain the patient s signature of the receipt of the Notice, except in emergency situations In these cases, if a signature is not obtained, the institution must document the reason

10 The Notice of Privacy Practice allows PHI to be used & disclosed for purposes of: Treatment referring & consulting physicians Payment an insurance company needs a service date Operations hospital Quality Improvement office wants a copy of the operative report If you are ever unsure- ASK!

11 HIPAA requires users to access the minimum amount of information necessary to perform their duties. Example a billing clerk may need to know what laboratory test was performed, but does NOT need to know the result. For patient treatment, there are no restrictions on the amount of information except: psychotherapy information, HIV results and substance abuse.

12 You must have a physician-patient relationship. Example you cannot access your spouse medical record You can access PHI only when required for your job! Spectrum Health & Mercy Health Saint Mary s policy: you cannot access your own medical record or laboratory results

13 You can legally access your laboratory reports through the Spectrum MyHealth program if you choose to do so To do this you must: Establish a patient relationship with a Spectrum Health physician, with you being that physician s patient Sign up for the Spectrum MyHealth account. Ask the physician office personnel for instructions

14 There are state laws that apply to the release of information, reporting of breaches, mental health records, fee charges, and more. Ask hospital staff if you are ever unsure if one of these pertain to a situation you are in Reproductive Health related care: pertains to allowing minors to consent and have the episode of care restricted from parental access. Spectrum Health clinics have procedures for these issues. You must ask the clinic staff about these during your initial assignment visit!

15 In addition, HIPAA rules and regulations also apply to accessing patient records and PHI for research purposes Prior to accessing PHI for research, institutional review board approval (IRB) must be obtained from the institution that holds the records In order to obtain IRB approval, an application, protocol and data collection tool need to be submitted for review

16 Data Collection Correlation tool This file will link an ID # (assigned by the investigators) to the patient s name and medical record number Data collection tool Use ID # in the data collection sheet (no patient names or MRNs) All files must be password protected and stored separately on a secure drive Only IRB approved investigators may access files Data analyses should be performed using the de-identified data collection tool Research questions/assistance: research@grmep.org

17 You will receive additional HIPAA training at orientation Hospital Compliance and Patient Safety Officers will deliver this information Come prepared to ask questions so you leave that session armed with the most effective HIPAA information for your own accountability