Transcript HIPAA Health Insurance Portability and Accountability Act

HIPAA
Office of Experiential Education
Health Insurance Portability
and Accountability Act
What is HIPAA?
 Health Insurance Portability and
Accountability Act
 Enacted on April 14, 2003
 A Federal Law written to:


Enhance data exchange: more effective and
efficient for administrative and financial
transactions
Improve healthcare information security and
privacy
HIPAA Principles
 1. Protect the privacy of protected patient
information
 2. Use and disclose the minimum necessary
amount of protected information
 3. Establish the rights of patients to approve
who has access and use of their medical
information.
Health Information Disclosure
 Covered entities have specific obligations toward
protected health information (PHI) which includes
information transmitted or maintained in any medium,
including ORAL COMMUNICATIONS
 Providers and plans may NOT use or disclose an
individual’s health information except for:
 Treatment
 Payment
 Regular health care operations
 Any additional disclosures requires a signed
authorization from the patient
What is Protected Health
Information (PHI)?

Information resulting from demographic information
being paired with physical or mental health or health
insurance/prescription information.
Protected Health Information

Health information in any form is considered
Protected health information (PHI) if it is:



(1) created or received by a covered entity
(2) relates to a patient’s past, present or future
physical or mental health condition
(3) identifies the individual or creates a basis to
believe that the information can be used to
identify the individual.
Specific PHI Elements
(This information must be de-identified or removed from patient
information unless it is being used in the treatment of the patient.)
 Name
 All geographic info

City, County, State,
Precinct, Zip Codes,
Street Address
 Elements of Dates

Birth Dates, Admission,
Discharge, Date of
Death, and Ages >89
years old













Telephone/Fax numbers
Email address
Social Security#
Medical Record #
Health Plan #
Account #
Certificate/license #
Vehicle/serial #
License plate #
Device/serial#
URL’s
IP Address
Biometric Identifiers:
Finger/voice prints
 Full face photo
Protected Health Information
 Records kept in a pharmacy that would meet
the definition of PHI






Prescription records
Billing records
Patient profiles
Insurance Cards
May include certain phone calls from patients
Verbal patient counseling
Where would a pharmacy student
find PHI?








Medical or Clinical Charts
Medication Administration Records (MAR)
Billing Records
Rounding Lists
Electronic Databases
Rounding Conversation
Faxes
Emails
Use and Disclosure Rule
 Must take reasonable efforts to use and disclose only
the “Minimum Necessary” amount of PHI appropriate to
the situation.


Limit disclosure for payment and operations
 Understand WHY the information is necessary
 Question if information seems unnecessary
Casual conversation
 Don’t discuss patients with health care professionals not
directly involved in their care
 Providers should limit access to patient information on
a need to know basis.
 Remember, do not use HIPAA as an excuse not to
report adverse drug events.
For pharmacy student, what is the
“Minimum Necessary”?
 Access ONLY the PHI you need to provide
medication therapy management. This would
include:

Patient name, date of birth, height, weight,
past medical history, physical exam, lab
values, diagnoses, tests performed and the
results, and the medications.
Can PHI be disclosed without authorization?
 Yes.
 Public health activities
 Law enforcement, judicial proceedings
 Reports of abuse or neglect
 Health oversight activities
 Coroners, funeral directors
 Organ and tissue donation
 Certain research activities
 Threat to public safety
 Military functions
 Inmates
 Worker’s compensation
 Sale, transfer, merger or consolidation of all or part of
covered entity
What should be done when an employee
makes an unauthorized disclosure of PHI?
 Sanction the employee
 Attempt to contain the damage caused by the
disclosure
 Document the event




Description of what was disclosed
Statement of the reason the PHI is disclosed
Date
The name and address (if known) of the person or entity that
you disclosed to
 Must also make an accounting of the events to the
affected patient(s)
 Stiff penalties including fines and prison terms
associated with noncompliance.
Recent Case – July 2013
 Woman awarded $1.44 million after finding
Walgreens and pharmacist violated privacy.
 Pharmacist violated privacy by looking up and
sharing prescription history.
 Pharmacist admitted she was aware of strict
privacy policy and knew she was violating it.
 Walgreens contends this is a misapplication
of the law to hold an employer liable for the
actions of one employee. They intend to
appeal.
Walgreens must pay woman $1.44 million over HIPAA violation, Jul. 26, 2013, written by Tim Evans, indystar.com.
What do I do if I need to speak to a patient
in an institutional setting?
 Create a space that is private.
 Speak in the patient’s room
 Pull the curtain closed if it is a shared room
 If family members are in the room, explain to
the patient that you will be discussing private
information about their health and ask if they
would like their family members to listen also.
If not, if it is an appropriate time to speak to
the patient, ask the family members to step
out of the room for a moment while you speak
to the patient.
As a student, can you keep written
records about your patients?
 Yes, BUT you must safeguard this information.
 Don’t use your phone to take a picture of information
in the patient’s chart
 Don’t photocopy information from the patient’s chart
 Don’t access information for patients you aren’t
directly following even if they are relatives and/or
friends.
As a student, can you keep written
records about your patients?
 Do not leave any written materials, PDA’s or
lap-tops with patient information on tables or
in lab coats that you are not wearing.
 Always put paper with patient information in
locked containers to be shredded.
 Remember to keep PDA’s and lap-tops
password protected when they contain
patient information and to delete information
that is not needed.
Helpful TIPS
 Keep conversations about patients as private
as possible.
 Use discretion when calling out names in
waiting rooms or pharmacies.
 Keep patient lists and schedules out of public
view.
 When discussing cases with fellow students,
strip identifiers from the case.
Helpful TIPS
 Never leave the patient’s medical record
unattended or open.
 Respect patient’s privacy when requesting
medical information over the phone. Do not
repeat names, numbers, etc. so that these
can be overheard.
 Verify the identity of the individual requesting
patient information.
Helpful TIPS
 Use passwords on computers that only you know.
 Do not share passwords.
 Log off any computer if you get up and leave.
 Protect the security of lap-tops, PDA’s with password
protections.
 Remove/destroy PHI when it is no longer needed.
Rights of Individuals to PHI
 Patients have the right to access their health
information.
 Requests for information must be honored within 30
days.
 Patients can “amend” their health record. Requests
must be acted on within 60 days. You may deny a
request if it is not appropriate.
 Patients have the right to request that health care
providers restrict disclosure of information to health
plans in situations in which a patient has paid for an
item or service in full.
Privacy Official
 To ensure that any covered entity (including
pharmacies) is committed to developing and
implementing the HIPAA guidelines, an
individual must be named as a “privacy
official”.
 This individual is responsible for developing
and implementing HIPAA-related policies and
procedures
Security Rule
 Requires entities to:





Protect ePHI against unauthorized access and
improper alteration or destruction
Protect against threats or hazards to the security
integrity of ePHI
Protect against unauthorized uses or disclosure of
ePHI
Make ePHI readily available to authorized
personnel when needed
Institute security measures that must be followed by
all members of the workforce including students,
management, and vendors or contractors
Security Rule
 Applies only to electronic protected health
information
 Computer systems should be up to date, but
it is your responsibility to ensure the safety of
the ePHI
Conclusions



May use protected health information when
speaking with other health care professionals
involved in the treatment of the patient.
Use common sense when dealing with health
care information.
Questions about the use of PHI should be
directed to your supervisor.
Common Questions
 Q. Can I allow customers to see the signature
of others (such as in a log documenting an
offer to counsel)?
Common Questions
 Q. Can I call a customer to the pharmacy
over a loud speaker?
Common Questions
 Q. Do I have to remodel the pharmacy to
provide a private counseling area?
Common Questions
 Q. If a pharmacist calls a patient’s home to
talk to them about an issue and the patient is
not home, can a message be left with another
person?
Common Questions
 Q. Does a pharmacy have to comply with a
patient’s request to further restrict uses and
disclosures for treatment, payment or
operations?
Common Questions
 Q. Can a pharmacy specify in its Notice of Privacy
Practices that a spouse provide a signature of
acknowledgement on their own behalf and on behalf
of their spouse and minor children?
Common Questions
 Q. Can PHI be faxed to another practitioner?
Common Questions
 Q. Can a patient have a family member or a
friend pick up a prescription?
Common Questions
 Q. Can a pharmacist disclose information
about a patient to another individual who is
picking up that prescription?
References









“HIPAA and Its Impact on Pharmacy Practice”, written by Robert P. Giacalone,R.Ph., J.D. and Gary G.
Cacciatore, PharmD., and J.D. Continuing Education: September, 2002, p.14-22.
Health Insurance Portability and Accountability Act, Pharmacy Student Training Module, University of
Kansas School of Pharmacy
HIPAA: How to Reduce Your Risk, written by Michele A. Faulkner, Pharmacy Practice Update, Creighton
SPAHP, October 2, 2003
Pharmacists and HIPAA, Editorial, AmJHealth-Syst Pharm Vol 60 Mar 1, 2003
HIPAA: Understanding the Security Requirements, written by Alan R. Spies, R.Ph., J.D., Ph.D. Cand.
and Virgil Van Dusen, R.Ph., J.D., U.S. Pharmacist, 7/15/03, Vol 28, No. 7.
HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No.
301.
HIPAA & Privacy: A Refresher for 2013, Pharmacist’s Letter, Online Training Course.
HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No.
303.
Overview of Modifications to the HIPAA Privacy, Security and Enforcement Rules. Compliance Date:
September 23, 2013, National Community Pharmacists Association.