Transcript HIPAA Privacy Training

HIPAA Privacy Training
Health Insurance Portability & Accountability Act of 1996
Standards for Privacy of Individually Identifiable Health
Information
45 CFR Parts 160 and 164
THIS INFORMATION MUST BE PRESENTED OR, IF
THROUGH SELF-STUDY, REVIEWED IN ITS ENTIRETY.
The Health Insurance Portability and Accountability Act (HIPAA) was
enacted in 1996 and focused on improving health insurance
accessibility for persons changing employment or leaving the work
force (portability). HIPAA consists of several different parts. One
part, called the Privacy Rule, concerns the privacy of health
information. The Privacy Rule includes a requirement that all
members of a health care provider’s workforce (including students)
must be trained on the provider’s policies and procedures relating to
privacy.
This training program was developed through a collaborative effort
of representatives of various Hawaii health care providers. The
collaborative facilities developed and adopted a standard policy with
regard to appropriate uses of health information for educational
purposes. Although the policies of these facilities may be similar,
specific procedures may vary from facility to facility. Therefore,
when you begin your training at a facility, you should familiarize
yourself with the specific policies and procedures of that facility.
The Privacy Rule



Creates national foundation of privacy
Does not preempt more stringent state
laws
Extends:


Certain individual rights to privacy
Protection of individual’s medical
records and health information
HIPAA addresses national standards for electronic data
transmission, unique health identifiers, security standards, and
standards for privacy and confidentiality. Covered Entities
were required to comply with the Privacy Rule by April 14,
2003. The government believes a national foundation of
privacy protections is necessary because technological
advances have resulted in increasing electronic transmission of
health care data.
Standardization of the collection, storage and transmission of
such data has been limited, while public concern about the
privacy and security of health information have grown.
It is important to note that HIPAA provides a floor of
protection, and does not preempt more stringent protections
provided under state law. Therefore, a health care provider
must be familiar with both state and federal laws relating to
the use and disclosure of health information.
2
Who’s affected?
Direct impact:
 Health plans
 Health care clearinghouses
 Health care providers
(who transmit health information electronically)
Indirect impact:
 Business associates
(vendors, consultants, contracted providers)
All Covered Entities are required to comply with HIPAA
regulations. Covered Entities include Health Plans that provide or
pay the cost of medical care, including employer plans and
programs, Health Care Providers (doctors, nurses, hospitals, etc.)
who perform electronic transactions and Health Care
Clearinghouses (entities that process data from non-standard
format to standard format, or vice versa).
Business Associates of a Covered Entity, including vendors and
consultants, are usually required to comply with HIPAA
regulations by means of a Business Associate Agreement with the
Covered Entity. A Business Associate may or may not be a
Covered Entity.
3
What’s protected?
Protected health information (PHI) refers to:

Individually identifiable health information
relating to:





Person’s past, present and future health or
condition;
Provision of health services to the person
Past, present and future payment of health
services to the person
Information transmitted or maintained in any
form
Includes data considered individually identifiable
Protected Health Information (PHI) means any individually
identifiable health information about a person. PHI is
protected under HIPAA and, therefore, cannot be disclosed by
a Covered Entity without the agreement or authorization of
that person, or as allowed by law. This requirement will be
described in more detail later. PHI includes information about
the person’s past, present and future health or condition;
provision of health care services to the person; and past,
present and future payment for health services to the person.
Information transmitted or maintained in any form-- verbal,
written (paper) or electronic-- is protected.
4
What’s individually
identifiable?










Name
Geographic divisions
smaller than State (with
exceptions)
All dates (except year)
Phone & fax number
E-mail address
SSN
Medical record #
Health plan beneficiary
numbers
Account numbers
Certificate/license
numbers





Vehicle identifiers and
serial numbers
Device identifiers and
serial numbers
Web URLs
IP address numbers
Biometric identifiers
(including finger, voice
prints)


Full face photo and
other images
Any other unique
identifier
[164.514(b)(2)]
The Privacy Rule identifies several data elements which, when
used alone or in combination, may lead to the identification of a
specific person. These data elements are referred to as
“individually identifiable health information”, and are listed on
this slide.
5
Rules for uses /
disclosures of PHI




Treatment, Payment, Health Care
Operations (TPO)
Opportunity to Object
Agreement or Authorization not
required (Exceptions)
Authorization
There are four general rules about the use or disclosure of
PHI:
1. PHI can be disclosed for the purposes of Treatment, Payment or
Health Care Operations (TPO) without the consent, agreement
or authorization of the patient.
2. The patient has the opportunity to agree or object to certain
use or disclosure of PHI.
3. In some situations-- usually as required under existing laws-PHI may be disclosed without the patient’s authorization or
agreement.
4. Finally, in any other circumstance not described above, the
patient will need to provide written authorization for the use or
disclosure of his/her PHI.
6
Permitted Uses of PHI
Uses/disclosures permitted for:

Treatment



Some facilities may still require patient
authorization for release of PHI
Payment
Health care operations
(quality improvement, staff performance review, training
in areas of health care, accreditation, medical review,
audits, business planning and development, general
administration, etc.)
Use or disclosure of PHI is permitted for a Covered Entity’s
Treatment, Payment and Health Care operations.
A Covered Entity may also disclose PHI to a health care provider
for treatment purposes. Many facilities now release PHI for
treatment as long as they receive a request stating that the
provider is involved in the patient’s treatment and the PHI is
needed for the patient’s treatment. It is important to recognize,
though, that a facility can be more stringent and may still require
written authorization, consent or other verification to release PHI
for treatment.
Covered Entities can also release PHI to each other for for either
Covered Entities’ payment purposes and certain health care
operations as long as each Covered Entity has or had a
relationship with the patient who is the subject of the PHI and the
information released is relevant to that relationship. Examples are
provided on slide 26.
7
Opportunity to Object





Facility directories
To clergy
To persons involved in individual’s
care
Notification purposes
Disaster relief purposes
Under the Privacy Rule, a Covered Entity can use or disclose
PHI for certain purposes as long as the patient verbally
agrees, or the patient has been given an opportunity to
object to the disclosure and has not objected. These
purposes are listed above.
Each facility has established procedures about how these
uses or disclosures are implemented. See the Matrix for
information about each facility’s procedures. Be sure to
review this information before you begin your training at a
facility.
8
Agreement or Authorization
Not Required (Exceptions)
Required by law
 Public health activities
 Victims of abuse/
neglect/domestic violence
 Health oversight
 Judicial/administrative
proceedings
 Limited law enforcement
purposes

Coroners, medical
examiners & funeral
directors
 Organ/tissue donations
 Research purposes
 Serious threat to
self/others
 Specialized
government functions
 Worker’s comp

In certain situations, disclosure is permitted without an
authorization or an opportunity to object. This slide lists the
types of disclosures that are allowed without the patient’s
authorization or agreement. Many of these disclosures are to
government officials acting in a professional capacity. In
general, students would not make these types of disclosures.
For each of these types of disclosures, the Covered Entity must
follow certain rules, in terms of how and what PHI is released. In
addition, the Covered Entity must track and account for these
disclosures. Therefore if you receive an inquiry that relates to
these types of disclosures, you must check with the patient’s
attending physician, the facility’s nursing staff or the facility’s
Privacy Officer before you release any information.
9
Authorizations
For all other uses and disclosures of PHI
A valid authorization from the patient is required for any
other disclosure of PHI.
For example, if a patient applies for life insurance, before
the facility can disclose PHI to the life insurance
company, the patient must provide a signed authorization
form to the facility.
10
Notice of Privacy
Practices



Describes to patients how their protected
health information may be used/disclosed
Details patient’s legal rights in regards to
their PHI and how to exercise these rights
Details legal obligations of covered entity
to protect PHI
The Covered Entity must give the a Notice of Privacy Practices,
which describes the ways the Covered Entity could use or
disclose PHI.
A health care provider who has a direct treatment relationship
must provide the Notice at the time of the first service delivery,
or in an emergency situation, as soon as possible.
The Covered Entity must also make a good faith effort to obtain
the patient’s written acknowledgement of receipt of the Notice.
If the acknowledgement was not obtained, the Covered Entity
must document the reason why the acknowledgement was not
obtained.
11
Individual’s Rights







To receive Notice of Privacy Practices
To inspect and/or obtain copy of PHI
To request to amend PHI
To request limits on certain
uses/disclosures of PHI
To receive accounting of disclosures
To receive confidential communications
To file a complaint
HIPAA gives the patient rights to privacy and accessibility with
regard to his/her PHI. These rights are listed on this slide.
Each facility has procedures about how the patient may
exercise these rights. Refer any patient with questions about
his/her rights under the Privacy Rule to the facility’s Privacy
Officer.
12
Other Requirements





De-identification of PHI
Minimum necessary
Workforce Training
Verification Process
Business Associate Contracts
The Privacy Rule includes several other requirements:
• De-identification is the process of stripping PHI of all
individually identifiable elements (see slide 5).
• The minimum necessary standard (e.g. need-to-know) will be
covered later.
• The Covered Entity must train all members of its workforce on
its policies and procedures related to privacy. Students are
considered part of the facility’s workforce, which is why you are
completing this training.
• Verification process refers to a requirement that a Covered
Entity must verify the identity and authority of a person who is
requesting to have access to PHI.
• Finally, a Covered Entity must enter into a Business Associate
Contract with a person or entity who provides certain types of
services for the Covered Entity and who accesses PHI in the
course of providing those services.
13
Other Restrictions



Marketing
Fundraising
Specially Protected Health Information

Additional protections under Hawaii
State law relating to release of HIV,
mental health and substance abuse
treatment records
The Privacy Rule imposes other restrictions on the use or
disclosure of PHI for marketing and fundraising. Those
restrictions will not be discussed here. If in the future, you are
involved in marketing or fundraising, you will need to
familiarize yourself with applicable sections of the Privacy Rule.
As stated previously, the federal Privacy Rule does not preempt
more stringent state law. In Hawaii, certain information, called
specially protected health information, are afforded more
stringent protection. Under Hawaii State law, release of
specially protected health information requires the patient’s
consent, including for treatment and payment purposes.
14
What’s consequence
of non-compliance?

Penalties:


Civil: $100 per violation; up to
$25,000 per year
Criminal: up to $250,000 and or
10 years in prison
There are penalties for violating or failing to
comply with the Privacy Rule. A Covered Entity
may be subject to civil and criminal sanctions that
include monetary fines and imprisonment.
15
Sanctions


Facilities required to sanction members
of workforce (includes “students”)
who violate policies and procedures
relating to privacy and security of
health information.
Student sanctions may include
suspension or termination of access
privileges to PHI and/or participation
in educational programs at facility.
A Covered Entity is required to have a process for
sanctioning workforce members who violate privacy
policies and procedures. Student sanctions may be
levied by the facility and/or the educational program
with which you participate.
16
What you need to know
to operate in different facilities







Facility Directory
Family Involvement
Minimum Necessary
Appropriate Educational Access/Use
Requesting/Disclosing PHI for
treatment
Request/Disclosures to Govt. agencies
Patient Requested Restrictions on
use/disclosure
As stated previously, privacy training includes training about
the facility’s policies and procedures. Each facility may
implement its procedures differently. See the Matrix for
information about each facility’s procedures. Be sure to
review this information before you begin your training at a
facility.
17
What is a Facility Directory?


The information a hospital releases to the
media or the public when they call to ask
about a patient
This information is limited to:



Location
Condition
May only release info in the directory to
people who ask for patient BY NAME
“Facility directory” requirements apply to hospital inpatients.
The hospital maintains a list of inpatients. If a caller or visitor asks
for a patient BY NAME, the hospital may:
1. Acknowledge the patient’s presence;
2. Provide the patient’s room number; and
3. Provide a one word description of the patient’s condition.
This is the maximum amount of information that may be
disclosed for facility directory purposes.
Facility directory requirements apply to inquiries by members of the
media, as well as other callers or visitors.
18
Facility Directory




Patient may ask hospital to NOT release
information to media or others who call
Each hospital will have process to identify
these NO INFORMATION patients
YOU must be aware of each hospital’s codes
and process to identify these patients
DO NOT release information in violation of
the patient’s information status
The patient has the right to object to disclosures for facility
directory purposes. In other words, patient may tell the hospital
to disclose no information about him/her to callers or visitors.
The hospital must honor the patient’s request for privacy. As a
member of the hospital’s workforce, you must not disclose
information about a patient with “No Information” status to
callers or visitors.
Each hospital has established procedures for honoring patient’s
request. See Matrix for details.
19
Facility Directory
NO INFORMATION STATUS


PATIENT’S LOCATION/CONDITION
WILL NOT BE DISCLOSED TO ANYONE,
INCLUDING FAMILY/FRIENDS
Anyone asking for patient will be told, “We
have no information regarding the
individual.”
If patient has requested “No Information” status, the hospital
will not:
1. Acknowledge the patient’s presence;
2. Disclose the patient’s room number;
3. Describe the patient’s condition;
4. Accept flowers, gifts or mail for the patient.
This restriction applies to family members, friends, or any one
else who may call or visit the hospital. They will be told,
“We have no information about a person by that name.”
20
What should I do?
Scenario #1:
Q: I am approached in the hallway by someone
who asks me if I know what room a patient is
in. I saw the patient’s name on the unit I just
left. What should I do?
A: Refer the person to the nurses’ station,
information desk, or hospital operator. You
do not know whether the patient has
requested a NO INFORMATION status or
other restrictions.
This scenario may present a cultural change, as most
healthcare providers want to be helpful to visitors,
understanding that family members may be worried about
their loved one. However, we need to be mindful of the
patient’s right to privacy.
21
Family Involvement

A patient’s health information may be
disclosed to family/others if:
Patient gives verbal agreement,

Patient has opportunity to object and does not, or

You can infer from circumstances that patient
does not object
Emergency/incompetent patients - Release
information using professional judgement in best
interests of patient


Examples of Permitted Disclosures to Family, Friends or Others:
1. Daughter accompanies elderly patient into exam room. The
patient says, “Can you explain it to my daughter?” You may
provide instructions to the daughter.
2. Wife goes to pharmacy and asks to pick up the prescription that
Dr. Young called in for her husband. You may give the
medications to the wife.
3. Patient tells you that neighbor has been helping him with home
exercise program. You may speak with the neighbor about the
patient’s exercises.
4. You knock on the door and enter patient’s room. There are
several visitors in the room. You don’t know who the visitors are.
You say to the patient, “I’d like to talk with you about discharge
planning. Can we talk now? Perhaps your visitors would like to
have lunch? Or should I come back a little later?”
Exception: In an emergency, when the patient is unable to express
his/her wishes, use your professional judgment. Ask yourself, “Would it
be in the patient’s best interest if I disclosed the information?”
22
Family Involvement



Information released must be directly
relevant to that person’s involvement in the
patient’s care or payment for that care
A patient has the right to request that you not
release information to family/others.
If a patient asks that you not talk with
family/others, please refer patient to nursing
staff.
A Permitted Disclosure:
Friend picks up patient after procedure. Patient will stay with
friend for a few days. Friend asks, “What do I need to do?” You
may explain to friend, “Here are her prescriptions. Be sure to
keep the site dry. Sponge bath only. Call the doctor if the site
gets red. No housework or lifting more than ten pounds.”
Not A Permitted Disclosure:
You may not describe the patient’s previous episodes of care to
friend-- the Emergency Room visit when she was a possible DUI;
results of the biopsy she had two years ago; etc.
Responding to Patient’s Request:
It’s important that you inform staff of patient’s request to limit
involvement of family, friends or others. Staff will know how to
document and follow-up on the request. Each facility has
established procedures for responding to such a request. See
Matrix for details.
23
What should I do?
Scenario #2:
Q: The spouse of a patient I am seeing
approaches me in the hallway and begins
asking me questions about the patient.
During my assessment visit, the patient
indicated that she did not want information
shared with her spouse.
What should I do?
A: Patients have a right to not involve family
members and others in their care. You should
not share any information with the spouse per
the patient’s request and you should alert the
nursing staff about the patient’s request.
The patient explicitly stated that she did not want her health
information to be shared with her husband. As difficult as it may
seem, you must honor her request.
It is also important for you to promptly notify staff about patient’s
request. They will know how to document and respond to
patient’s request.
Once a facility has agreed to a patient’s restriction request,
everyone-- including students-- must abide by it.
24
Minimum Necessary


Need-to-Know Rule
Access is a privilege. Individuals with
access privileges have an obligation to
limit access and use to the minimum
necessary to perform their duties and
responsibilities.
A key element of the Privacy Rule is the minimum necessary
standard. This is the need-to-know rule. You are only
permitted to access and use the minimum necessary amount
of PHI for your specific duty, responsibility or purpose.
In terms of educational uses of PHI, you must limit your
access and use to the minimum amount of information
required for your specific educational activity.
Example:
You would like to review records of ER patients admitted for
near drowning for a presentation or paper. First, you must
obtain the required approvals and determine the types of
information or data that you will need to collect. Then, you
must limit your access to only the episodes of care that relate
to the study topic and record only the data elements that are
necessary to prepare your presentation or paper.
25
Request/Disclose PHI
for Treatment Purposes

May request/disclose PHI for treatment where:



Request is from a provider to whom you referred
the patient for treatment or provider involvement in
patient’s treatment is documented in medical
record, or
Patient has signed an authorization or release for the
disclosure to the provider, or
Provider has requested, in writing, the PHI for
treatment purposes
As a student, you may be asked to release PHI to another health
care provider who is involved in the patient’s care. Under
HIPAA, a health care provider may release PHI to another
provider for treatment purposes without the patient’s
authorization; however, this disclosure is subject to verification
of the identity and authority of the requestor. At most facilities
(see Matrix), you may disclose PHI to another health care
provider for treatment purposes if:
1. The provider referred the patient to you
2. You referred the patient to the provider
3. The medical record contains documentation of the
provider’s treatment relationship with the patient
4. The provider requests the information for treatment
purposes and the request is made in writing
5. The patient has signed an authorization or other form for
the disclosure of the PHI to that provider
26
Request/Disclosure of PHI
to/from government agencies

Refer to Nursing Staff/Attending
Physician/Privacy Officer


Only minimum necessary may be
released
Must do an accounting for the disclosure
Hospitals are required to disclose PHI to government agencies
for many reasons. Examples include reports of child abuse or
neglect, infectious disease reporting, reports of unattended
deaths to the Medical Examiner, etc.
Most students will not be involved in reporting PHI to
government officials. However, you may encounter a situation
in which reporting is mandatory, or a government official, such
as a police officer, asks you for information. Please consult
with the facility’s nursing staff, your supervisor or the facility’s
Privacy Officer before making such a report or releasing
information to any person who is not a health care provider.
Such disclosures must follow the minimum necessary rule.
Additionally, the facility must track or account for such
disclosures. Therefore, it is important that you know and
follow the appropriate procedures before you release any
information to a government official.
27
Patient Requested Restrictions
on Use/Disclosure of PHI


Facility may have agreed to patient requested
restrictions on use/disclosures of PHI for
treatment, payment or health care operations
YOU must be aware of each facility’s
practice in this regards and where such
restrictions would be documented
Under HIPAA, a patient has the right to request restrictions on
the facility’s use or disclosure of PHI for treatment, payment or
health care operations. The facility is not required to agree to
the patient’s request.
For example, a patient may not want students to be involved in
his/her care or to access his/her health information. The facility
will determine whether or not it will honor the patient’s request.
Review the Matrix to familiarize yourself with each facility’s
procedures with regard to such requests. Be aware that when a
facility has agreed to a patient’s restriction request, as a student,
you are obligated to honor the request.
28
Use of PHI for
educational purposes


Allowed without patient consent or
authorization
Parameters of use/disclosure of PHI for
educational purposes:




Appropriate access
Minimum necessary for the purpose
Protect/safeguard PHI
Appropriate disposal upon completion
Use or disclosure of PHI for educational purposes is considered
one of the facility’s health care operations. Therefore, PHI can
be used by and disclosed to health care students without the
patient’s consent, agreement or authorization. However, HIPAA
does place certain limitations on the use of PHI for educational
purposes.
1. The facility must establish appropriate controls on the
student’s access to PHI
2. PHI disclosed should be limited to the minimum necessary
for the particular educational use or purpose
3. The student who accesses PHI is responsible for protecting
and safeguarding that information and to properly dispose
of any notes or class documents that contain PHI upon
completion of the use or purpose.
4. The student must be aware of and honor any agreed-upon
restriction.
29
Facially de-identified information


Policy permits use of PHI that is “facially deidentified” for educational purposes.
Remove same identifiers as in de-identified
information, except may leave in:




Patient medical record number
Dates of Service
Zip codes
This information is still identifiable under
HIPAA and remains under federal privacy
protections.
The collaborative facilities permit a student to use PHI that has
been “facially de-identified” for his/her educational purposes.
The only difference between de-identified information and
“facially de-identified” information is that “facially de-identified”
information can include the patient’s medical record number,
dates of service and zip code. All other individual identifiers (see
slide 5) must be removed from the information.
Under HIPAA, “facially de-identified” information is still
considered PHI. You must protect “facially de-identified”
information in compliance with the Privacy Rule.
30
“Facially de-identified”
means removing:









Name
Address
Phone & fax number
E-mail address
SSN
Health plan
beneficiary numbers
Account numbers
Certificate/license
numbers
Web URLs






Vehicle identifiers
and serial numbers
Device identifiers
and serial numbers
IP address numbers
Biometric identifiers
(including finger,
voice prints)
Full face photo and
other images
Any other unique
identifier
This slide lists the identifiers which must be removed from
the PHI in order for the information to be considered
“facially de-identified”.
31
Allowable educational
access/use







Treatment
Observation
Teaching Rounds
Retrospective Record/Data Reviews
Research (with IRB approval)
Case Presentations
Patient Logs
This slide lists the types of educational uses or activities for
which a student may access PHI.
Access to PHI or an attempt to access PHI by a student for a
use or activity other than what is listed above would be
considered a violation of the facility’s policies and could result
in sanctions against the student.
32
Is this okay?
Scenario #3:
Q: I heard about a very unusual case in the OR. As a
medical student I am here to learn. I need to
know more about the details so that I may gain a
better understanding of the clinical course. I plan
to review the records before I leave for the day.
Is this okay?
A: No. While it might be argued that educational
benefit can be gained by reviewing unusual cases,
such review should be formally approved and
presented. Individual access to patients’ records
in this type of situation is not appropriate.
Electronic records and systems are monitored for
inappropriate access.
In this scenario, access may seem to fit under one of the
allowable educational uses or activities. What do you think?
The bottom line is that the case may indeed have educational
value to you. But such review must be organized and approved
by the appropriate individuals. Do not access patient information
just because you personally believe it might be educational. Work
through your instructors and the facility.
33
Some Do’s and Don’ts:
Treatment and Observation
Can Do



Access medical
records of the
patients you are
treating/caring for
Prepare class work
with patient
identifiers removed
Observe patient care
with approval from
department manager/
supervising faculty
Cannot Do



Obtain medical
records of patients
you are not
treating/caring for
Use data obtained
from your cases
with patient
identifiers such as
name, address, birth
date left in
Observe patient care
without appropriate
approval or where
the patient objects
Here are some do’s and don’ts relating to appropriate
use/access of PHI for treatment and observation. This
is not a complete list but will provide you with some
general guidelines.
34
Some Do’s and Don’ts:
Teaching Rounds
Can Do


Share patient
information during
teaching rounds
Prepare class work
using data from your
cases with patient
identifiers removed
Cannot Do


Discuss patients in
public areas with no
consideration to
surroundings
Include family
members in rounds,
unless patient has
agreed or
determination has
been made by
physician that
inclusion is in
patient’s best interest
Here are some do’s and don’ts for participation in teaching
rounds.
One important point must be emphasized. Always use
discretion and common sense when discussing cases in
public areas. Do not verbalize details that would
inappropriately disclose patient information.
35
Some Do’s and Don’ts:
Retrospective Reviews
Can Do



Access medical
records with written
approval of
supervising faculty
member
Prepare class work
using collected data
with patient
identifiers removed
Use aggregate or deidentified patient
information
Cannot Do




Use information
collected for
research without
IRB approval
Publish or publicly
present findings
without IRB
approval or waiver
of authorization
Contact the patient
or the patient’s
physician
Abstract patient
identifiers
Here are some do’s and don’ts for retrospective reviews.
If you are thinking of publishing your findings or making a
public presentation, you must obtain the approval of the
facility’s Institutional Review Board (IRB) before accessing
or collecting patient information from medical records. See
the Matrix for information about each facility’s procedures.
36
Some Do’s and Don’ts:
Research
Can Do

With IRB approval:



Build a database of
patient information
Access and use patient
identifiable information
as approved by IRB
Do a public
presentation or publish
findings using
aggregate or deidentified information
Cannot Do



Any research without
IRB approval or waiver
Publish or publicly
present findings that
identify the patient
without patient
authorization
Access and collect
patient data in
preparation for a
research project without
IRB waiver or approval
There are a number of regulatory requirements for research,
and the requirements are quite complex. As a student, the
key points to remember are:
1. Under the HIPAA Privacy Rule, the creation of a database or
repository of patient information may be considered research
2. You should contact the facility’s Institutional Review Board
(IRB) if you intend to review and collect patient information for
research purposes. It is prudent to seek guidance from the
IRB if you consider publication or public presentation to be
future possibilities.
37
What should I do?
Scenario #4:
Q: My supervising faculty member has asked me to review
100 charts of newborn babies to determine whether or
not the delivery room temperature has an effect on
babies. Do I need IRB approval?
A: Maybe. If the intent is purely for quality improvement
without intent to publish findings and you will destroy
the database upon completion, then you do not need an
IRB approval or waiver. But, if you intend to
publicize, publish or use the data you collected for any
other purpose and do not get a patient authorization or
an IRB approval or waiver you would be violating the
patient’s rights.
It is sometimes difficult to distinguish between quality
improvement activities and research. If the patient
information you are collecting might be considered for use in
a future research project, it is best to obtain IRB approval.
See the facility’s IRB for information about its application,
review and approval procedures.
38
Some Do’s and Don’ts:
Case Presentations/Grand Rounds
Can Do



Access medical records
with written approval of
supervising faculty
member
Prepare for presentation
using facially de-identified,
aggregate or de-identified
information
Limit audience to
healthcare
students/professionals if
presentation might
inadvertently reveal
patient’s identity
Cannot Do

Leave/show the
following in your
presentation



Patient Name
Medical Record
Number
Openly present a high
profile or unusual case
where patient’s privacy
may be compromised
without patient’s written
authorization for
disclosure
Here are some do’s and don’ts for case presentations or
grand rounds.
Although you are permitted to retain the patient’s medical
record number for certain educational purposes, this
information should not be displayed or revealed during your
presentation. If the case you plan to present is high-profile
or extremely rare, obtain the patient’s authorization before
you use his/her PHI in the presentation or, at minimum,
ensure that the audience is limited to healthcare students or
professionals.
39
Patient Logs
Information collected and submitted on
a patient log of your educational
activities must be facially de-identified
Your educational program may require you to keep a
Patient Log, a list of patients to whom you have been
assigned, and to conduct follow-up reviews. As you
keep your Patient Log, please follow the rules for “facially
de-identifying” patient information.
Some Do’s and Don’ts:
“Facially De-identifying” Patient Data
Can Do

Use generic terms to
describe a patient






Cannot Do

36 year old
white male
living in Arizona
Admitted in October
2002
Construction worker
Black out/delete/cut
out patient
identifiers on hard
copy
Leave patient
identifiers in
information
used/removed





Patient/Relatives’
Name
Birth dates
Address
Employer
Take copies of
dictated reports
home with you
(unless facially deidentified)
Here are some examples about how to “facially
de-identify” patient information. Remember that
you are only permitted to retain the patient’s
medical record number, dates of service, and zip
code for certain educational purposes.
41
Some Do’s and Don’ts:
Accessing PHI
Can Do

Request access to PHI
through appropriate
channels


Request access to
medical records
through Medical
Records
Submit completed
appropriate data
request form for data
reports
Cannot Do



Remove medical records
from facility
Leave patient records/data
in break room or other
areas where they are
unattended
Out of curiosity, access the
records of the celebrity who
was admitted last week or
the records of a patient with
an unusual medical
condition
Each facility has established procedures for obtaining access to
PHI. See the Matrix for more information.
If you are assigned to a facility that has implemented an
electronic medical record, you will probably be able to access
information about patients with whom you do not have a
treatment relationship. Keep in mind that simply because you
are able to access the information does not mean you have
permission to do so. Each facility has implemented audit trails
to monitor users who have accessed a patient’s electronic
medical records. If a facility discovered that you accessed a
patient’s record and you had no legitimate reason for doing so,
you could be subject to sanctions.
42
Is it okay?
Scenario #5:
Q: My friend was admitted yesterday after
collapsing during a bike ride. I am very
concerned about her progress and would like
to visit her but I don’t know which room she
is in. Is it okay if I look up the information in
the computer system?
A: No. Using your access privileges to look up
any information for any patient when there is
no need to know based on your
responsibilities in the hospital is a violation
of patient confidentiality.
Unless you are directly involved in providing health care for
your friend, it is not appropriate for you to access her
electronic medical record. Your friend is entitled to privacy, as
are all patients.
As discussed on the Facility Directory slides, please ask for
your friend by name at the nurses station or information desk.
As long as your friend has not requested “No Information”
status, staff will be able to tell you her room number and you
will be able to visit.
43
Some Do’s and Don’ts:
Safeguarding Information
Must Do
Password protect
laptops/PDA’s
Shred facially de-identified
papers when you are done
with them
Insure memory/hard drive
has been wiped clean when
selling/ disposing of a PC,
laptop or PDA
Encrypt any PHI sent over
Internet




Cannot Do



Leave information in open
or other public areas
Discuss patients in elevator,
hallways or the cafeteria
Dispose of facially deidentified information in
your trash can (it is still
identifiable under HIPAA!)

Share your access
codes/cards
Remember that under HIPAA, “facially de-identified” information is
still Protected Health Information (PHI). You are responsible for
keeping the information confidential and secure. Here are some
examples of safeguards you should follow:
1. Maintain control over your PDA, class work and other documents that
contain patient information. Know where they are at all times.
2. Do not let a friend borrow or share your access codes (log-in) or
cards for any reason. You are responsible for inappropriate access to
data or secured areas that occurs under your identification.
3. When you no longer need health information you have collected,
dispose of it appropriately. Do not throw it away in your trash can!
4. Do not send PHI over an open network unless the information is
encrypted.
5. Always use discretion and common sense. Consider how you would
want others to protect your personal health information.
44
Questions?
For further information or questions,
please contact the facility’s privacy
officer.
45