HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you can do to help the hospice safeguard the privacy and security of protected health information Agenda Brief background / history of HIPAA What is PHI HIPAA privacy requirements HIPAA security requirements What is a breach? How you can help with compliance 1
HIPAA Overview / Background What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Administrative Simplification Transactions Rule Privacy Rule Security Rule The Transactions Rule Standardizes (and simplifies) how specific electronic transactions involving health information are transmitted. The Transactions Rule made it necessary to formulate the Privacy and Security Rules. 2
The Privacy Rule Protects health information from unauthorized uses and disclosures. Provides nation wide minimum standards for the protection of the privacy of health information. Provides health care consumers with more rights and control over the uses and disclosures of their health information. The Security Rule Protects health information in electronic form from alteration, loss or destruction and from unauthorized access Security and privacy go hand in hand you can t have one without the other What does this have to do with hospice? Hospices are covered entities Each hospice must ensure it is doing everything required by the HIPAA Privacy and Security Rules 3
There are significant penalties for not complying HIPAA is the law Compliance is required, it is not optional Protecting patient privacy is also the right thing to do Protected Health Information PHI The Heart of the Matter PHI Protected Health Information: Is any information, in electronic, written or oral form, that relates to an individual s past, present or future health condition 4
Some Examples of PHI Name Date of Birth Date of Admission Date of Death/Discharge Social Security Number Health Insurance Number Medical Record Number Vehicle ID /License # Phone Number Address In a Nutshell Protected Health Information is ANY INFORMATION that identifies an individual or for which there is a reasonable basis to believe the information could be used to identify an individual Rule of Thumb If you think something might be protected health information it probably is 5
HIPAA Privacy Rule Requirements Essence of the Privacy Rule Hospices are only allowed to use or disclose PHI in ways permitted or required by the Privacy Rule For all other purposes the patient must sign an authorization form to allow the hospice to use or disclose his or her health information Some of the things hospices must do: Notice of Privacy Practices Privacy Official Honor patient privacy rights Minimum necessary info Provide safeguards for written, oral and electronic health information Train staff on their responsibilities 6
Tells patients how the hospice is allowed to use and disclose their PHI Notice of Privacy Practices Must be given to all patients before care is provided Responsible for all matters related to privacy practices It is important to know the name of the Privacy Official at your hospice Privacy Official Privacy Rights Their purpose is to give individuals more control over how their health information is used and disclosed Patients are informed of these rights and how to exercise them in the hospice s Notice of Privacy Practices 7
Patient Privacy Rights To receive a copy of the Notice of Privacy Practices To lodge complaints To request restrictions on uses and disclosures To request communication in an alternative manner To request access to PHI To request amendment of PHI To request an accounting of disclosures of PHI To Receive a Copy of the Notice of Privacy Practices All patients have a right to know how their health information is used and disclosed To Lodge a Complaint TheNotice describes how patients can lodge complaints regarding privacy violations and how to contact the hospice s Privacy Official 8
Request Restrictions on How PHI is Used or Disclosed Patients may request limits on how a hospice uses or discloses their PHI Request Confidential Communications Patients may request that his or her health information be discussed in a certain manner or location Request Access to PHI Patients may inspect it or have a copy of their clinical record All staff who document in clinical records should be aware of the fact that their documentation could be read by the patient/representative 9
Request Amendment of PHI May request to amend (not alter) clinical records. If the patient believes there is a mistake, a notation will be made in the clinical record if the request for amendment is approved. Request for an Accounting of Disclosures Patients have a right to know to whom the hospice may have disclosed their PHI. The Minimum Necessary Hospices may not use, disclose or request more PHI than is absolutely necessary Hospice staff may not have access to more PHI than necessary to perform their jobs Hospices may not use, disclose or request entire medical records unless specifically authorized to do so in its policies and procedures 10
Overview of HIPAA Security Rule Requirements Essence of the Security Rule Hospices must have systems and processes in place to ensure that electronic PHI is not lost, altered, or destroyed and it is not accessed by anyone not authorized Electronic PHI (ephi) ephi includes any medium used to store, access, transmit or receive PHI electronically: Laptops / desktops External hard drives, flash drives, CDs DVDs Magnetic tape or disks Cell phones, beepers Network servers, email, etc 11
Three Types of Safeguards Administrative operational requirements, administrative actions, and policies and procedures Physical physical measures and policies and procedures needed to protect information systems and buildings from natural and environmental hazards and unauthorized access Technical technology that can be used to protect ephi Security Awareness and Training Facility Access Controls Disposal and Back Up Procedures 12
What happens when the PHI of a patient is not protected as required by the Privacy and Security Rules? BREACH!!!!!!!! 13
Definition of a breach When a hospice does not adequately safeguard protected health information and someone who is not authorized obtains access to it. More on breaches Breaches only apply to unsecured PHI. If PHI is secured it can not be accessed by someone not authorized. Unsecured PHI PHI that has not been rendered unusable, unreadable or indecipherable 14
ENCRYPTION Only two approved ways to secure PHI DESTRUCTION What to do if you think a breach may have happened: Contact your supervisor or Privacy Official at once The hospice has very specific notification requirements that must be met Safeguarding PHI - How everyone can/must help 15
PHI must be safeguarded from: Unauthorized use and disclosure Loss Destruction Unauthorized access Identify PHI Written Oral Electronic Where is written PHI Clinical records File cabinets Reports Travel charts Fax machines Staff mailboxes Desks Whiteboards Trash / recycle bins IDG agendas Near shredders Copiers 16
How to help Lock travel charts in the trunk of your car when not in use Only have the minimum amount of PHI necessary in travel charts Promptly shred PHI that is no longer needed Do not leave PHI unattended on your desk or in your work area More ways to help Lock file cabinets containing PHI when not in use Return clinical records promptly Locate fax machines, printers, copiers in secure areas Remove PHI from copiers, fax machines and printers as soon as possible Where is oral PHI? 17
When talking on the phone Over Lunch Anytime you talk about a patient with someone who is not providing care to the patient too. During meetings Protect Oral PHI Don t talk about patients in public places Don t talk about patients to anyone not involved in the patient s care Do not use the phone in a patient s home to call other patients or discuss patients Only share the minimum amount of patient information necessary Where is electronic PHI? Desktop computers Laptop computers Text messages On networks On storage devices like flash drives, CDs, external hard drives In email On beepers 18
Be careful with passwords Always keep laptops locked and protected when not in use Do not include PHI in emails unless it is encrypted 19
Do not leave computer screens with PHI unattended Follow your hospice s privacy and security policies and procedures THE HIPAA GOLDEN RULE Do unto the PHI of others as you would have them do unto yours. 20