OF MICHIGAN HEALTH SYSTEM

Similar documents
HIPAA Privacy & Security Training for Clinicians

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Education Level One For Volunteers & Observers

PHI- Protected Health Information

Protecting Privacy & Security in the Health Care Setting

Department of Health and Human Services Policy ADMN 004, Attachment A

Privacy and Security For Managers

Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures

Are you in the correct place?

HIPAA Training for Staff and Volunteers

Protecting Patient Privacy It s Everyone s Responsibility

SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules

2014 Core Training 1

HIPAA and You The Basics

Privacy & Security Standards to Protect Patient Information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA Training for Hospice Staff and Volunteers

HIPAA Privacy for Caregivers

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Privacy and Security

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Contents

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

HIPAA Privacy Overview

Health Insurance Portability and Accountability Act HIPAA Privacy Standards

Frequently Asked Questions

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Road to Recovery Fact Sheet

Alliance for Clinical Education (ACE) Student HIPAA Training

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Clinical Solutions. 2 Hour CEU

Target Audience: All Non-Management CHS Employees, Students, Volunteers, and Physicians

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Statement of Policy. Reason for Policy

Privacy Training for Harvard Medical Students

Annual Compliance Training. HITECH/HIPAA Refresher

HIPAA Privacy and Security

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

PCI Data Security. Information Services & Cash Management. Contents

HIPAA Awareness Training

HIPAA and Privacy Policy Training

HIPAA Basic Training for Privacy & Information Security

Information Security Policy

What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996.

How To Ensure Your Office Meets The Privacy And Security Requirements Of The Health Insurance Portability And Accountability Act (Hipaa)

HIPAA. For General Workforce. What you need to know. HIPAA Training Presentation for Management Workforce

HIPAA PRIVACY POLICIES & PROCEDURES. Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING

Policy Scope: The policy applies across the Division to all DPH workgroups who maintain, use, have access to, or come into contact with IIHI.

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA POLICY PROCEDURE GUIDE

Communicating with a Patient s Family, Friends, or Others Involved in the Patient s Care

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

PRIVACY AND SECURITY SURVIVAL TRAINING

Topics. What are privacy and security all about? How can I protect confidential information? What should I do if I see a problem?

HIPAA PRIVACY SELF-STUDY MATERIALS

Please use your cell phone to access this website: pollev.com/ucsfprivacy

How To Protect Your Health Information At Uni Of California

Privacy & Security of Patient Information 2010

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA? 6/28/2012

HIPPA Goes HITECH. Data Protection for Agents

HIPAA. The Health Insurance Portability and Accountability Act, commonly. Health Insurance Portability and Accountability Act of 1996

Are you in the correct place?

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) Compliance Training

Guadalupe Regional Medical Center

NOTICE OF PRIVACY PRACTICES

HIPAA 101: Privacy and Security Basics

Privacy and Security Awareness

St. Elizabeth Healthcare

Enrollment Updates/HIPAA

HIPAA Compliance Annual Mandatory Education

SHS Annual Information Security Training

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.

HIPAA In The Workplace. What Every Employee Should Know and Remember

NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual

HIPAA and Health Information Privacy and Security

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

The Basics of HIPAA Privacy and Security and HITECH

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

DSHS CA Security For Providers

A Privacy and Information Security Guide for UCLA Workforce. HIPAA and California Privacy Laws

HIPAA: Bigger and More Annoying

Health Insurance Portability and Accountability Act (HIPAA) Overview

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

BERKELEY COLLEGE DATA SECURITY POLICY

HIPAA POLICY PROCEDURE GUIDE

By the end of this course you will demonstrate:

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

Mobility and Young London Annex 4: Sharing Information Securely

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

Transcription:

1 PHI - Protected Health Information UNIVERSITY OF MICHIGAN HEALTH SYSTEM Updated 09/23/2013

2 Q: Is PHI the same as the medical record? A: No. protects more than the official medical record. Lots of other information besides the official medical record is considered PHI (e.g., billing records, etc.) For example, the fact that a person is a patient here at UMHS is considered PHI. Thus, it would be a violation to tell a friend or family member that a mutual friend or neighbor was admitted to UMHS, unless the patient gave authorization to do so.

3 Q: What if I m accidentally overheard discussing a patient s PHI record? A: This is usually considered an incidental disclosure. It is not a violation as long as you take reasonable precautions and discuss the protected health information for a legitimate purpose. The privacy rule is not meant to prevent health care team members from communicating with each other and their patients during the course of treatment. These "incidental disclosures" are allowed under.

4 Q: If I overhear patient care information in the elevator or in the hallway, how should I handle it? A: There are signs in the elevators stating that patient information should not be discussed. Point to the sign and remind the speakers of the policy. If the conversation clearly violates policies or regulations, report it to the UMHS Compliance Office, and if possible, obtain the name(s) of the speakers so education can be provided.

5 General Access Q: I work in the hospital and don't need to access PHI for my job, but every now and then a patient s family member asks me about a patient. What should I do? A: Explain that you do not have access to that information, and refer the individual to the patient s health care provider.

6 Category 1 Disclosures Patient Authorization NOT Required Q: What should I do if a government agency or law enforcement person requests information about a patient? A: If working with law enforcement is not part of your responsibility, contact your supervisor or the Health System Legal Office (HSLO) at 764-2178 or the attorney on call can be contacted through the hospital operator. Those who do work directly with law enforcement receive special training on the special rules about disclosing patient information to law enforcement authorites. The privacy rules are very specific in this area.

7 Category 2 Disclosures Patient Authorization Required Q: As part of my job, I have access to a patient s PHI. How do I know which family and friends can be told this information? A: Always ask the patient who can receive this information and document the patient s response in the medical record. The best way to do this is to have the patient complete the UMHS Family & Friends List Form - one for outpatient and one for each inpatient admission. Check with your supervisor. In cases where you cannot ask (e.g., patient is not present or is unconscious) and there is an no other documentation in the medical record, use your professional judgment.

8 Category 2 Disclosures Patient Authorization Required Q: When I am speaking to a patient, and friends or family members are in the treatment room, do I assume the patient has given me permission to speak of the PHI in front of these persons or do I need to ask them to leave? A: Do not assume it is okay to speak in from of the other people. Ask the patient if it okay to discuss their PHI in front of the person(s). If highly sensitive information needs to be discussed (HIV status for example), then ask the person(s) to leave the room before beginning any discussion about the highly sensitive information.

9 Q: If the patient is not conscious, to whom can we disclose the PHI? Category 2 Disclosures Patient Authorization Required A: You will have to decide this on a caseby-case basis. If you know the patient's preferences, as in you can tell my spouse, but not my sister, then document the request and follow it. Otherwise, use your professional judgment. Always use the Minimum Necessary standard: disclose only information that is directly relevant to the person's involvement with the patient's health care. Once a patient has regained consciousness, he or she will determine when and how we can share protected information.

10 Category 2 Disclosures Patient Authorization Required Q: Can someone else still pick up a patient's prescriptions, x-rays, or medical supplies? A: Yes, if in the care provider's professional judgment it is okay to give the prescription, x-rays or medical supplies to that individual.

11 Verification Requests for PHI by Phone Q: What if I get a phone call looking for information, and the caller says it s the patient? What should I do? A: If the request is made by phone, and the requester identifies him- or herself as the patient, you can ask him or her to provide personal information for verification, such as his or her UMHS medical record number, birth date, or address.

12 Verification Requests for PHI by Phone Q: What about requests to leave information on voice mail or an answering machine? A: If you are asked to phone or leave confidential information via voice mail, for example, you should verify with the patient or other approved individual that it is okay to leave messages this way. Make sure you confirm the number, and only leave the minimum necessary information. Your unit may have more restrictive policies, so check with your supervisor on what is appropriate.

13 Verification Requests for PHI by Phone Q: What if I m not supposed to leave a message? A: If you are asked not to leave voice messages, do not. This is especially important with patients who may not want to share PHI with family members, roommates, or co-workers. Also, at UMHS, encourage the patient to sign up for the patient portal (MyChart), which is a good way to communicate confidentially with the patient about upcoming appointment reminders, test results, etc.

Verification Requests for PHI by Phone Q: How much information is it OK to leave? A: Always leave the minimum possible amount of information. For example: This is the University of Michigan calling to remind you of your appointment on Wednesday, January 8. If you have questions or need to change your appointment, call XXX-XXXX. Notice: No information is included about where the appointment is or who the appointment is with. 14

15 Verification Requests for PHI by E-mail Q: What if a patient requests that I communicate with him or her via e- mail? A: If your unit has specific policies regarding e-mail requests, follow them. Otherwise, here are some things you can do

16 Verification Requests for PHI by E-mail 1.Make sure that patients understand that e-mail is not secure Requests by email cont d. and there is a risk that a 3 rd party could obtain the information in the transmission. 2. At UMHS, Encourage the patient to sign up for and use the patient portal (MyChart) which is a secure way to communicate with providers. 3. Inform the patient to not use e-mail for time sensitive matters, as you may be out of the office or busy taking care of other patients. 4. Do not initiate e-mail with patients without first getting their permission, and only use the e-mail address they provide, unless they notify you of a change. -cont d. on next page

17 Verification Requests for PHI by E-mail Requests by email cont d. 5. If you receive any request via e-mail, don t assume the sender is the person he or she claims to be, especially if the request is unexpected. If you have not previously verified an e-mail address with the patient, contact either the patient to verify the sender s identity and e-mail address, or contact the person making the request by another method for verification of the e-mail address. If in doubt, talk to your supervisor. In general, be careful about sending PHI in response to e-mails because of the difficulty in identifying senders accurately. 6. Minimize the amount of information disclosed in an e-mail communication with a patient.

18 Verification Requests for PHI by Fax Q: What do I do if I receive a request for PHI by fax? A: Most often, faxed requests for PHI will come from other health care providers or payers, like billing agencies or insurance companies, although patients may occasionally ask to have information faxed to them. Check with your supervisor about your unit s procedures for sending PHI via fax. Note: violations easily occur through mis-dialing of fax numbers. Click here for more information to prevent this from happening.

19 Verification Requests for PHI by Pager Q: What if I receive a PHI on my pager? A: When communicating via pagers, send only the minimum amount of information necessary, and delete received messages once you no longer need them.

20 Staff Access Q: I have students and/or temporary staff people who will only be here a short time. They need computer access to do their work. Can I give them my password or log them in as me? A: No. It is against policy to allow any staff, including temporary staff, to use another employee's log in and/or password for computer access. If you allow someone to use your access, you will be held responsible for what they do. Your department's authorized signer can make the request for new accounts.

21 Security Q: What s the first thing to do to protect PHI on a laptop or other portable device such as a tablet? A: If a portable device is appropriately encrypted, and it is lost or stolen, the information on the device cannot be accessed without an encryption key (another password.) Encryption is the best and safest way to secure and protect PHI/ePHI. At UMHS, Contact Medical Center Information Technology (MCIT) for assistance with encryption.

Disposal Q: How do I dispose of PHI? A: Papers containing PHI either need to be shredded or disposed of in designated confidential recycling receptacles, such as the locked blue bins in many Health System facilities, and not in the regular trash. Thumb/flash drives, CD-ROMs, Computer hard drives and memory cards (e.g., on fax machines and copiers) must be physically destroyed or electronically shredded. Contact your IT Support for assistance. 22

23 Certificate and Credit IF YOU ARE associated with UMHS (the University of Michigan Health System) Please close this window and complete the remainder of the learning activity. IF YOU ARE associated with the University of Michigan (Non- UMHS) Click this link to download a printable PDF certificate.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information