Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

What is HIPAA? Health Insurance Portability and Accountability Act (HIPAA) is broad federal legislation that includes rules to protect the privacy and confidentiality of patient information. Does not replace existing confidentiality laws Establishes a minimum requirement 41

Protected health information HIPAA regulates the use and disclosure of what is known as protected health information or PHI. PHI is any information that can be used to identify the past, present, or future healthcare of an individual or the payment for that care. 42

Protected health information This is virtually all information about a patient, whether written on paper, saved on a computer, or spoken aloud. This includes their: Name Address Age Social Security number Other personal information License plate numbers Fax machine numbers 43

HIPAA confidentiality HIPAA privacy also protects the following: The reason the patient is sick or in the hospital The treatments and medication he or she receives Caregivers notes Information about past health conditions 44

Use of protected health information In general, a healthcare provider can access and use PHI without specific patient authorization, if it is to be used for treatment, payment, or healthcare operations (TPO). Before looking at a patient s health information, ask yourself, Do I need to know this to do my job? 45

Use of protected health information A healthcare provider can also disclose PHI without patient authorization for: Required by law Public Health Activities Law Enforcement Other national priorities - funeral directors,organ donation, research, prevent a disaster, special government functions, workers compensation 46

Use of protected health information Minimum Necessary Standard - Always use or disclose only the Minimum amount of information necessary to honor the request If you are not sure whether you should disclose any form of PHI, ASK your supervisor, department compliance representative or the compliance officer Once the disclosure is made it s too late to get it back. 47

Security for Beginners: What Every Healthcare Worker Needs to Know About HIPAA Security

Use of electronic protected health information (ephi) HIPAA security rules apply only to ephi stored, maintained or transmitted in an electronic format ephi is the same information as PHI; anything that could identify the patient, their medical condition or method of payment Security rules require additional compliance 49

Use of electronic protected health information (ephi) Appropriately use computers and other technology. Workforce members cannot use their computers or access to review personal or family PHI. If you use a laptop, palmtop computer, PDA or removable storage media it is your responsibility to: Obtain approval before transferring ephi to a portable device It is your responsibility to protect ALL ephi from theft both electronic and physical 50

Use of electronic protected health information (ephi) Monitor the use of cellular phones information and images (ephi) can be sent over Internet. This ephi in not encrypted It is no allowed to send ephi over the email system. Use E-mail and Internet access appropriately workforce members should remember that e-mails sent to or from MBR computers are not considered private. MBR can and does audit e-mail and Internet usage 51

Use of electronic protected health information (ephi) Password control. Sign-off application after you are finished. You are your password. Protect it.never share it. If you believe your password has been compromised, call the HELP desk immediately. Tell them your concern and ask for a new password. 52

What Does HIPAA Mean To Me? Our patients have a right to expect we will keep their information confidential. This information includes anything that could identify or be used to find out the identity of the patient or their medical condition. As employees, volunteers and physicians, we come in contact with many forms of patient information, i.e. surgical lists, laboratory draw lists, patient census listings, etc. We need to understand what are acceptable uses of this information. Follow the need to know rule. Ask yourself do I need to see patient information to perform my job. If the answer is Yes, you have nothing to worry about. If the answer is no, STOP. 53

What Does This All Mean To Me? The cafeteria, the elevator or any of the social media sites are not the place to discuss the medical condition or other aspects of a patient s care. Information you have access to must not be the subject of conversation with family, friends or neighbors. Most disclosures of PHI do not need an authorization by the patient. PHI can be disclosed without an authorization for reasons of TPO and any of the 12 permitted uses under the Privacy Rules. Any other disclosure requires an authorization by the patient. The minimum necessary standard needs to be applied to all disclosures except for treatment purposes, disclosures to the patient or 54 as required by law.

What Does This All Mean To Me? Never send ephi to anyone unless you have verified who will receive the information and how the information will be used. If it doesn t seem right to you, it probably isn t. Remember follow the need to know rule. Ask yourself do I need to see patient information to perform my job. If the answer is Yes, you have nothing to worry about. If the answer is no, STOP. Use e-mail and Internet services in the proper manner. 55

What Does This All Mean To Me?. Always protect your password. NEVER give your password or sign-on to anyone.if you think your password or sign-on has been compromised, notify the Security Officer immediately. Violations can also result in personal civil penalties of up to $25,000 per person and criminal penalties of up to $250,000 and/or 10 years in prison. Violations of confidentiality and privacy policies can result in disciplinary action up to and including discharge. 56

What Does This All Mean To Me? If you know of any violation of our existing confidentiality policies or the Privacy Policy, it is your obligation to bring the violation to the attention of your supervisor, compliance representative, Privacy Officer or Compliance Officer. Compliance is the responsibility of every employee! 57

Questions?? Contact: Mike Jamrog Compliance/Privacy Officer Telephone - 989-894-3849 Compliance Hot Line - 989-894-3945 Privacy Line - 989-894-3970 58