HIPAA Privacy & Security Training for Clinicians
Agenda This training will cover the following information: Overview of Privacy Rule and Security Rules Using and disclosing Protected Health Information Protecting health information Examples on how to protect patients health information How to report a privacy or security violation Penalties and sanctions for violating the Privacy or Security Rules Page 2
Health Insurance Portability and Accountability Act (HIPAA) The Privacy Rule: Protects an individual s health care information known as PHI Identifies permitted uses and disclosures of this protected health information ( PHI ) Gives patients control over their health information (Patient s Rights) The Security Rule: Protects an individual s health care information that is maintained or transmitted electronically Requires administrative, physical, and technical safeguards for electronic PHI (ephi) Disciplines workforce members who fail to comply with security policies and procedures Page 3
Who is Covered by the Privacy and Security Rules? An Organization that provides or pays for health services-- Covered Entities including: Health care providers (doctors, nurses, allied health practitioners) Health care facilities (hospitals, clinics, its employees) Health plans (HMOs, insurers) Health information clearinghouses (e.g., PRMO) Which transmit any health information in electronic form in connection with certain claim processing transactions CITI Collaborative Institutional Training Initiative www.citiprogram.org Page 4
What are Duke Medicine s Responsibilities under the Privacy and Security Rules? Develop policies and procedures Appoint a Privacy and a Security Officer Restrict uses and disclosures of PHI Provide privacy and security training Develop a Notice describing patients rights and Duke Medicine s use and disclosure of PHI Maintain records of certain PHI disclosures Investigate and respond to privacy or security incidents Page 5
What are Duke Medicine s Responsibilities under the Privacy and Security Rules? Respect patients rights to: Receive the Notice of Privacy Practices Inspect, access, or obtain copies of their medical records Object to certain disclosures of their PHI and request certain privacy protections Ask to correct PHI that is believed to be wrong or missing in their medical record Obtain a listing of certain disclosures of their PHI File a complaint with US Office of Civil Rights Page 6
Using and Disclosing PHI Page 7
Overview of Privacy Rule What is PHI? Information that identifies a person who is living or deceased Past, present, or future health information Health information that is electronic, in paper form, or spoken in conversation such as lab reports, conversations among clinicians, billing statements, x-rays, nursing notes PHI identifiers include information such as: Name Name of relatives/family member/employer Mailing and e-mail address Phone number or fax number Social security number or medical record number Date of birth, dates of service Insurance and bank account numbers Photos, voice, finger or retinal prints ZIP code Page 8
Using & Disclosing PHI The Privacy Rule states that PHI should only be used* and disclosed**: For treatment For payment of health care services For healthcare operations (administrative activity of providers) As authorized by the patient For other circumstances described in the Privacy Rule * Use means sharing health information within Duke Medicine ** Disclosure means sharing health information with others or entities outside of Duke Medicine Page 9
Using & Disclosing PHI Using and Disclosing PHI for treatment. Duke Medicine may use and disclose PHI for treating patients. Clinicians providing treatment and services to patients Staff performing discharge planning Sending appointment reminders to patients Notifying patients doctors of test results Page 10
Using & Disclosing PHI When disclosing PHI to family and friends who are involved in a patient s care, clinicians must review the circumstances and use professional judgment in determining the amount of PHI to disclose. 1) If patient is present and has the capacity to make healthcare decisions, the clinician may discuss the patient s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object. 2) If the patient instructs not to tell his or her family about his or her condition, the clinician should not discuss the patient s condition or treatment in front of family 3) If patient is not present or incapacitated, use professional judgment. Professional judgment is judgment made by the clinician based upon facts and circumstances including the patient s health and health care needs Limit disclosure to the information needed to make a decision regarding current treatment Disclose only PHI that is directly relevant to a person s involvement in a patient s care Share or discuss only the information that the person involved needs to know about the patient s care or payment for care. Page 11
Using & Disclosing PHI Examples when patient agrees: A nurse may discuss a patient s home care instructions with a neighbor who provides daily care to the patient. A hospital representative may discuss a patient s payment option with the patient s adult son who accompanies the patient to the exam room. A doctor can discuss a patient s treatment in the presence of a friend who the patient has requested be in the treatment room. Examples of professional judgment: In an emergency circumstance, the clinician may contact the patient s spouse to ask about the patient s medical history. A clinician should not share information about a patient s past HIV or psychiatric tests. A friend may pick up a specific prescription drug for a patient. Page 12
Using & Disclosing PHI When disclosing health information to family or friends, clinicians should be aware of and take into consideration: The emotional/mental state of the patient s family members or friends The sensitive nature or the type of health information being discussed with the patient The visitors who accompany the patient and their relationship to the patient and their involvement in the patient s care The information family or friends needs to know about the patient s care the information the clinician needs from family and friends to treat the patient See DUHS Policy: Uses and Disclosures for Involvement in the Individual s Care and Notification Page 13
Using & Disclosing PHI Using and disclosing patient information for payment: Duke Medicine may use and disclose PHI for payment of healthcare services. Payment includes such activities as billing insurance companies, collecting payments from patients, precertification of services, and billing clinical trials sponsors Processing claims Investigating and responding to billing complaints Verifying patients insurance benefits Page 14
Using & Disclosing PHI Using and disclosing patient information for healthcare operations: Duke Medicine may use and disclose patient information to perform certain healthcare operations including: Quality Assurance Credentialing Medical Auditing Risk Management Training programs for students, trainees, and staff Evaluation of clinician performance Customer Service; response to complaints Page 15
Using & Disclosing PHI Using and disclosing PHI as authorized by the patient: Duke Medicine may use and disclose PHI as authorized in writing by the patient for certain activities such as: Patient s participation in a research study Release of patient s information to a specific individual as directed by the patient Copy of Medical Record to the patient Page 16
Using & Disclosing PHI Using and disclosing PHI for certain circumstances described in the Privacy Rule: Duke Medicine may use and disclose PHI for certain circumstances as described in the Privacy Rule for: Law enforcement purposes such as the reporting of gunshot wounds to the police department Public health purposes such as the reporting of communicable diseases (STDs, tuberculosis, etc.) or adverse events reportable to the FDA Judicial and administrative proceedings such as court orders and subpoenas Fundraising Page 17
Using & Disclosing PHI When using or disclosing PHI, employees must follow the minimum necessary requirements Only the PHI necessary to complete the task should be accessed, used, or disclosed unless for treatment purposes Use or disclosure of PHI must be reasonably related to a genuine work task If employees receive a request to provide PHI and are unsure if to release, they should contact their supervisor CITI Collaborative Institutional Training Initiative www.citiprogram.org Page 18
Using and Disclosing PHI Only workforce members with responsibilities for a particular patient may access information on that patient Unauthorized Access is the access/disclosure of information that an employee does not have a responsibility to access or share Unauthorized access is prohibited and against Duke policy and the HIPAA Privacy Rule Unless you have responsibilities for a patient or have written authorization from that patient, no one may access information on friends, family members, coworkers, neighbors, or strangers Page 19
Business Associates The Privacy Rule requires Duke Medicine s Business Associates to maintain privacy and security. This is done by a Business Associate Agreement. A business associate (BA) is a person or organization who is not part of Duke s workforce but, in performing services on behalf of Duke, needs PHI to complete the responsibilities Prior to sharing PHI, Duke must ensure an executed Business Associated Agreement (BAA) a contract that describes the expectations and obligations of a BA in protecting the privacy and security of PHI entrusted to them A BAA should be implemented by following the DUHS Business Associate Policy at http://staff.dukehealth.org Page 20
Protecting Health Information Page 21
Protecting Health Information Protecting spoken health information means we should: Direct visitors and callers to the information desk Speak softly in semi-private rooms Close doors or curtains when talking about treatments or doing procedures NOT talk about patient s care in public areas like the waiting room or cafeteria Knock first and ask to enter a patient s room Ask patient s permission before speaking about patient s condition in front of visitors Use professional judgment when making decisions about sharing PHI with friends and family when patient is incapacitated or otherwise unable to give authorization for sharing information with friends and family Page 22
Protecting Health Information To protect health information on paper we must: NOT leave papers unattended on printers, copiers, fax machines, etc. Use a cover sheet when faxing PHI Keep health information away from public view Shred information no longer needed Find the owner of lost papers found in restrooms, lobbies, etc. Secure medical records--locked Page 23
Protecting Health Information Protecting electronic health information means we should: Keep computer screens pointed away from the public Log off or lock computer screens when leaving our computer Create strong passwords NEVER share passwords even with technical support people NOT write down passwords Password protect laptops and handheld devices (PDAs, etc.) Report viruses, computer errors, and security violations Follow policies and procedures when using wireless technology Use encryption when transmitting PHI over the internet Do not store sensitive information on mobile devices unless it is encrypted. For guidance on the selection and use of encryption tools click here Keep portables in a safe and secure place--locked Properly dispose of mobile devices that are no longer needed CITI Collaborative Institutional Training Initiative www.citiprogram.org Page 24
Examples of Possible Privacy and Security Violations Joe, a therapist, had a fall on the 4th floor and is treated in the emergency department (ED). Linda, a nurse on the 4th floor, is Joe s friend so she calls the ED to see how Joe is doing. The ED charge nurse tells Linda that Joe needs further cardiac tests. Did Linda and the ED charge nurse violate the Privacy Rule? Page 25
Examples of Possible Privacy and Security Violations YES! Linda has violated patient privacy by requesting information on an individual that is not her patient. The ED Charge nurse has violated patient privacy by providing information to Linda. All Duke Medicine employees have an obligation to access only the patient information needed to perform their work and to release information only to those authorized to receive such information. Page 26
Examples of Possible Privacy and Security Violations You are a nurse and receive a phone call asking about a patient s location in the hospital. The caller says she is the patient s sister. Should you tell the caller the patient s location? Page 27
Examples of Possible Privacy and Security Violations NO! You should refer the caller to the Information Desk. The Information Desk will release the appropriate information of listed patients (the patient s room number and general condition in non-specific terms) for those who ask for the patient by name. A patient can request that his/her name not be listed in our facility directory. If so, the Information Desk will know that anyone inquiring about the patient should be told that the facility has no record of that person being admitted to the facility. Page 28
Examples of Possible Privacy and Security Violations When you begin your shift, you see that your colleague in the previous shift left the computer logged in where you need it. Should you go ahead and use the computer? Page 29
Examples of Possible Privacy and Security Violations NO! You should log out and log back in with your own ID and password before you use the computer. Using a computer with someone else s ID may create a false record of access to PHI, a HIPAA violation. Report the incident to your supervisor, or through one of the methods described under Reporting Violations, below. Always log out when you leave a computer, or you may be held responsible for what someone else does with it. Page 30
Accounting for Disclosures Patients have the right to request an accounting of certain disclosures of their health information Accounting of Disclosures includes but is not limited to: disclosures to public health agencies as required by law without authorization (e.g. STD reporting) disclosures to the FDA for adverse event reporting disclosures for research done with an IRB waiver of need for authorization disclosures to law enforcement disclosures for administrative procedures without authorization from the patient. disclosures required by law (including legally required disclosures to workers compensation) Accounting of Disclosures excludes uses or disclosures made for payment, treatment, and healthcare operations and disclosures the patient has specifically authorized Staff have an obligation to keep track of such disclosures CITI Collaborative Institutional Training Initiative www.citiprogram.org Page 31
Accounting of Disclosures The accounting for each disclosure will include: The date of the disclosure; The name of the entity or person who received the PHI and, if known, the address of such entity or person; A brief description of the PHI disclosed; A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or, in lieu of such statement, a copy of the individual s written request for a disclosure. It is the responsibility of staff to place a disclosure in the log. See the DUHS Right to an Accounting of Disclosures of Protected Health Information policy. All written requests for an accounting of disclosures should be forwarded to the DUHS Privacy Officer Page 32
Reporting Violations and Sanctions & Penalties Page 33
Reporting Violations If you become aware of a Privacy or Security violation, you should notify any of the following: Your manager or supervisor Your facility privacy or security director or officer Your compliance office The Integrity Line (1-800-826-8109) Page 34
Integrity Line If you wish to make an anonymous report or feel uncomfortable calling the Compliance Office directly, you can call the Integrity Line 1-800-826-8109 An outside company handles all hotline calls All hotline calls are confidential and thoroughly investigated by the compliance office You do not have to give your name Page 35
What Happens to Me When I Report a Privacy Concern? Non-Retaliation/Non-Retribution Policy If you report a concern in good faith, * no retaliation or retribution may be taken against you even if the investigation determines that a problem does not exist. You will also not be punished if you have a privacy question. However, if you report a privacy violation to protect yourself or others, this policy does not protect you, and you will be disciplined. Supervisors will be disciplined for any attempts to punish or retaliate against anyone acting in good faith in reporting a compliance violation. *Good faith means that the person reporting the problem truly believes that a problem exists. Page 36
Violating HIPAA Privacy or Security Rules You and Duke may receive severe penalties for HIPAA Privacy or Security Rule violations. There are civil and criminal penalties If you do not protect an individual s health information, you may be disciplined under Duke s work rules. Duke Medicine penalties for HIPAA Privacy or Security Rule violations depend on the level of violation Discipline includes up to and including termination of employment Don t take risks with your job or the law! Page 37
Examples of Privacy and Security Rule Violations Discussing confidential information in public Looking at the chart of a coworker who is in the hospital to find out his room number so you can visit him Sharing details of an inpatient at a social gathering without authorization Using someone else s ID or letting someone else use yours Storing PHI on your home computer or on a laptop computer that is not encrypted Turning off security controls in your computer like the screen saver or virus checker Sending PHI in an email to someone outside of Duke without encryption. Click the Sensitive Electronic Information box in Notes instead Page 38
Summary: Privacy and Security Rules and Responsibilities Use and disclose PHI only as related to your job responsibilities Patient s health information is private and must be protected You have an obligation to maintain the privacy of patient information You must report privacy violations For questions, contact DUHS Compliance at 668-2573 or compliance@mc.duke.edu Page 39