Transcript Protected Health Information

Privacy Policies for the
Healthcare Professional
HIPAA
Limits sharing of Protected Health
Information
Restricts employers from using Protected
Health Information in employment decisions
Requires employers & employees to adopt
& apply certain procedures to safeguard
Protected Health Information
Three HIPAA Rules
1. Privacy Rule protects individuals from
discriminatory or wrongful use of their
Protected Health Information.
2. Security Rule safeguards PHI through
security officers & security measures.
3. Electronic Transactions & Code Set
Rule sets standard codes for electronic
transactions.
Penalties for Non-Compliance
• For knowing misuse of PHI: up to 1 year
imprisonment, or $50,000 fine, or both
• For obtaining PHI under false pretenses: up to
5 years imprisonment, or $100,000 fine, or both
• For using PHI for commercial advantage, personal
gain, or malicious harm: up to 10 years imprisonment,
or $250,000 fine, or both
• Civil Penalties: min. $100 per client, max. $25,000
per year per client
Client Rights
To have their Protected Health Information protected
To inspect & copy their records
To request their PHI records be corrected/changed
To request limits on how their PHI is used/shared
To request the manner in which to be contacted
(at home and not at work)
To get a list of disclosures made of their PHI
Client’s Right to Access
Clients may be charged for the costs of copying,
including personnel time, supplies required, & mailing,
but not for the cost associated with retrieving information.
Copies for individuals other than the client may be
charged at whatever rate the covered entities desires.
Access may be denied if a licensed provider has
determined that access may be dangerous to the client
or another person.
If access is denied, the covered entity must notify
the individual in writing of the reason for the
denial & provide the individual with access to
all information that is not subject to the denial.
Some denials are subject to review
at the client’s request.
Client Cannot Amend
If the covered entity did not create the
information unless the client can show that
the originator is unavailable
If the information is complete & accurate “as is”
If the information is the type of
information that would not be
available for the client to access
Amendment IS Granted
Make the amendment to the client’s records.
Notify anyone who has received the information
of the amendment.
Amendment is NOT Granted
Notify the client in writing.
Upon client’s request, include a copy of request
for amendment in all future disclosures.
If the client and/or covered entity adds a
rebuttal statement, include that statement in all
future disclosures & provide the client with a
copy.
Accounting of Disclosures
The first accounting in a 12-month period
must be free of charge to the client.
Account for all disclosures made in the previous
6 years (but after HIPAA 04/14/03).
Not required to account for TPO, to client, for
national security or intelligence, to correctional
institutions, incidental disclosures, or
disclosures pursuant to client’s written
authorization.
Written Notice of Privacy Practices
Providers are required to give a written
Notice of Privacy Practices that explains
how they use & share PHI, clients’ rights
& entity’s responsibilities regarding PHI,
& who to contact for more information.
Written Notice of Privacy Practices
Provided at the time of first delivery of services
or in an emergency provided as soon as
practicable after the emergency passes
Posted at each physical site of service
Posted on website (if one)
Available upon request by anyone at the physical
site of service
Covered entity must document failed efforts to
obtain a written acknowledgement of receipt
Sample Privacy Notice
We may use and disclose your PHI to a family member,
friend or other person to the extent necessary to help with
your healthcare or with payment for your healthcare, but
only if you agree that we may do so. If you are present,
then prior to use or disclosure of your health information,
we will provide you with an opportunity to object to such
uses or disclosures. In the event of your incapacity or
emergency circumstances, we will disclose health
information based on a determination using our
professional judgment disclosing only health information
that is directly relevant to the person's involvement in
your healthcare. We will also use our professional
judgment and our experience with common practice to
make reasonable inferences of your best interest in
allowing a person to pick up filled prescriptions, medical
supplies, x-rays, or other similar forms of health
information.
NOT Protected Health Information
Pre-employment physicals or
substance abuse screenings
Family Medical Leave Act Request
Americans With Disability Act Request
Disability retirement or
retirement savings plan
withdrawals for health
Protected Health Information
Names
Addresses
All dates
Telephone/FAX
numbers
Email addresses
Social Security
Numbers
Photographs
Account numbers
Medical record numbers
Health plan numbers
License & Vehicle
Identification Numbers
Diagnosis & medications
Any other unique
identifying number,
characteristic, or code
Protected Health Information
Use generally refers to
how PHI is handled by
the provider.
Disclosure generally refers
to how PHI is shared
externally.
Protected Health Information
Electronic: Internet, fax,
disks, back-up tapes
Paper: written or photo
X-Rays: film or electronic
Audio or Video
Oral Communications:
in person or by telephone
or voice mail
Protected Health Information
Sent or stored in any form
Identifies the client or can
be used to identify the client
Created or received by a
covered entity
Concerns a client’s past,
present or future treatment or
payment for services
Minimum Necessary
The amount of PHI used, shared, accessed, or
requested must be limited to only what is needed.
When a billing company bills for a blood test,
it does not need the client’s complete medical
record.
Minimum Necessary
Workers should have ONLY such PHI as their
job responsibility requires.
Someone who delivers food trays may need
PHI about the client’s diet but does not need to
know the reason the client is in the hospital.
Covered Entities
Healthcare Plans
Organized Health Care Arrangements
Healthcare Providers including doctors,
nurses, therapists, & people who transmit
information electronically
Healthcare clearinghouses
(DENIS, WebMD)
Hospitals & clinics
Other Entities
Affiliated Entities
must be under common
ownership or control &
must prepare & retain a
Hybrid Entities
written designation.
may have some covered
portions & some noncovered. Firewalls are
required to prevent
unauthorized disclosure
by the covered portion to
the non-covered portion.
Business Associates
Any non-employed vendor providing
a service for the covered entity where
access to PHI is needed must sign a
Business Associate Agreement
promising to keep PHI confidential.
A company developing entry
software must see actual PHI.
Employees, volunteers, trainees are
NOT considered business associates.
Information Exchange
Laboratories
Insurance Companies
Provider Offices
Pharmacies
Banks
Government
Employers
Hospitals
Mandated Transaction Standards
• Healthcare Claims or Encounters
• Healthcare Claims Status
• Healthcare Claims Payments & Remittance
•
•
•
•
•
•
Advice
Healthcare Enrollments & Disenrollments
Health Plan Eligibility
Health Plan Premium Payments
Health Plan Claims Attachments
Referral Certification & Authorization
First Report of Injury Worker’s Compensation
Treatment, Payment, & Operations
Treatment: activities related to client care
Payment: activities related to paying for or getting
paid for healthcare services
Healthcare Operations: day-to-day activities of a
covered entity such as planning, management, training,
improving quality, providing service and education, but
NOT research
KEY TERMS
Consent
A general document that gives
covered entities, which have a
direct patient relationship,
permission to use and disclose
all personal health information
(PHI) for treatment, payment &
operation (TPO) purposes
(Physician to use and disclose
medical records and lab results)
Authorization
A more customized document
that gives covered entities
permission to use PHI for
purposes other than TPO or
disclosure to a third party
(Follow-up for diabetes
counseling once diagnosed)
KEY TERMS
Covered Entities
Health Plans, Healthcare Clearinghouses
Health Care Providers & extensions of provider
service (financial & administrative functions)
Business Associates
A person or entity who provides certain functions &
services for or to a covered entity involving protected
health information (medical waste vendor)
Prior Written Authorization
DO NOT use or disclose PHI for any non-routine
purposes without prior written authorization
signed by the client.
Prior Written Authorization form must include
The name of the person or persons authorized
to make & receive the disclosure
A description of the information to be disclosed
The expiration date & a statement that the
authorization can be revoked at any time
The client’s or legal agent’s signature & date
Prior Written Permission NOT Required
To treat a client, to get paid
for treatment, or to evaluate
the person who provided
treatment
To share PHI with that client
To report births & deaths
(public health purposes)
For disclosure to vendors for
TPO under a written contract
Prior Written Permission NOT Required
To report abuse, neglect, or domestic
violence
For certain law enforcement
For organ, eye, or tissue donation
To avoid serious threats to health or safety
For coroners, medical examiners, or funeral
directors
Prior Written Permission REQUIRED
For Marketing & Fundraising
A doctor cannot give a diaper
company the names of pregnant
clients without clients’ prior
written authorization including
how the PHI will be used, for
how long, & by whom.
Prior Written Permission REQUIRED
For Use & Disclosure of
Psychotherapy Notes
recorded by mental health
professionals about private,
group, joint, or family
counseling sessions that are
separate from the rest of the
client’s medical records
Exceptions
For a covered entity to train students
For the covered entity to defend itself in a
legal action brought by the individual who is
the subject of the psychotherapy notes
For coroners and medical examiners
As necessary to prevent a serious and imminent
threat to health or safety
For health oversight activities
Uses and disclosures required by law
Prior Written Permission REQUIRED
For Use and Disclosure for Research
A researcher cannot enroll
a client in a study without
prior written authorization
that includes how the PHI will
be used, by whom, & for how
long.
Prior Opportunity to Reject Required
Facility directories
Friends & family members involved in
client care or payment
Clergy
Disaster relief organizations
Incidental Disclosure
Allowed if reasonable steps
or safeguards are taken to
secure & protect PHI
Visitors may hear a client’s
name called in a waiting
room, over speakers, or
overhear a clinical discussion
while walking down a
hallway.
Incidental Disclosure
Sign-in sheets may be used
but should NOT ask the reason
for the visit.
Charts at bedside or outside
exam rooms are allowed but
should face backwards.
Client care signs are allowed,
such as for diet needs.
Alternative Communications
You must comply with all
reasonable request about how
& where to contact clients.
Messages can be left on answering
machines or with those who answer
the phone, but the message should
be limited to minimum necessary.
Do NOT disclose sensitive
information.
Incidental Disclosure
Prescriptions can be
discussed with the client
over a drugstore counter or
by the healthcare provider or
client by telephone.
PHI can be shared in group
therapy settings for
treatment.
Clients’ conditions may be
discussed in entity’s
educational programs.
Incidental Disclosure
You may speak to other
providers or clients even if
you may be overheard.
You may orally arrange services
at nursing stations.
You may discuss a client’s
condition with that client, other
providers, or family members
over the telephone or in a client’s
semi-private room with the client’s
oral permission.
Reasonable Safeguards
Speak in soft tones when discussing PHI.
DO NOT discuss PHI in public hallways
or elevators.
Use but DO NOT share computer passwords.
Always lock cabinets that store PHI.
Administrative Requirements
Privacy Official is responsible for developing &
overseeing privacy for the covered entity.
Contact Officer distributes information & receives
complaints about privacy practices.
(May be conducted by the Privacy Official in smaller
organizations.)
Must be a written designation.
Training required for ALL members of the workforce, mu
be job-specific, and requires retraining when a
change in the law affects a workforce member’s
handling of Protected Health Information.
Documentation
Covered entities must ADOPT & APPLY
policies & document in written or electronic form.
Must provide a process for receiving & addressing
complaints & complaints must be documented.
Retention is required for 6 years from the date the
document was created or the date the document
was in effect, whichever is later.
The Department of Health & Human Services
Office of Civil Rights will oversee compliance.
FAQ
Q: Is PHI the same as A: No, HIPAA protects more
the medical record?
than the official medical
record. A great deal of
other information is also
considered PHI, such as
billing and demographic
data. Even the information
that a person is a client is
Protected Health
Information.
A: It is not a violation as long
as you were taking reasonable
Q: What if I’m precautions & were discussing
the
protected
health
information
accidentally
for a legitimate purpose. The
overheard
HIPAA privacy rule is not meant
discussing a to prevent care providers from
client’s PHI? communicating with each other
& their clients during the course
of treatment. These "incidental
disclosures" are allowed under
HIPAA.
Q: If I overhear patient A: If appropriate,
care information in
the elevator or in the
hallway, how should I
handle it?
remind the speakers
of the policy in private.
If the conversation
clearly violates policies
or regulations, report it
to the Privacy Officer.
Q: I work in the
hospital and don't
need to access PHI
for my job, but
every now & then a
client’s family
member asks me
about a client.
What should I do?
A: Explain that you
do not have access
to that information,
& refer the
individual to the
client’s healthcare
provider.
A:
If working with law
enforcement is not part of
your responsibility, contact
Q: What should I do your supervisor. If it is your
responsibility, provide only the
if a government
minimum amount necessary to
agency or law
support the investigation after
enforcement
verification of the authority of
person requests
the individual or organization
making the request. Always
information
consult your supervisor or the
about a client?
Privacy Officer if you are unsure
what to do. The privacy rules are
very specific in this area.
Q: Do I need
to record the
fact that I’ve
made these
disclosures?
A: For the most part, yes.
You need to document most
disclosures made without prior
authorizations except
disclosures made for TPO
purposes. Contact the Privacy
Officer for details about which
disclosures do not require
documentation.
Q: When I am speaking to
a client & friends or family
members are in the
treatment room, do
I assume the client has
given me permission to
speak of the PHI in front
of these people or do I
need to ask them to leave?
A: It is proper to speak,
unless the client objects.
If you are uncertain,
you can ask the client
if it is okay to discuss
his/her PHI in front of
the person or persons in
the room.
Q: Can someone
else pick up a
client's x-rays,
prescriptions,
or medical
supplies?
A: Yes, if in the care
provider's professional
judgment it is okay to
give the prescriptions,
x-rays, or medical
supplies to that
individual.
Q: What if
someone from
a government
agency asks
for protected
health
information?
A: First determine if this
is part of your job
responsibility to provide
such information, verify
who the person is asking
for such information, &
then contact your
supervisor.
A: If the request is made
Q: What if I get by phone & the
requester identifies
a phone call
him/herself as the client,
looking for
you can ask him/her to
information, &
provide personal
the caller says
information for
he/she’s the
verification, such as
client? What
his/her birth date or
Social Security Number.
should I do?
A: If someone other than
Q: I know that
clients have a right
to their PHI, but
what about
parents/guardians
of incompetent
clients?
the client has the legal
right to make healthcare
decisions for the client,
that person is the client's
personal representative &
has the right to access the
client's PHI. However, if
you have good reason to
believe that informing the
personal representative could
result in harm to the client or
others, then you do not have
to disclose the PHI.
A: You need to tell the client
only if he/she asks for an
accounting of disclosures,
Q: When the law requires & the disclosure was made
me to make a disclosure, without an authorization. If
such as reporting HIV
there is good reason to believe
infection, do I need to tell that informing the client could
the client that I disclosed result in harm to that individual,
then you may not be required to
the information?
tell him/her. In some cases,
government agencies can also
require that the client not be
informed. If you are in doubt,
contact the Privacy Officer.
Q: As part of my job, A: Always ask the
I have access to a
client who can
client’s PHI. How
receive this
do I know which
information &
family & friends
document the
can be told this
client’s response in
information?
the medical record.
A: You will have to decide this on
Q: If the client is
not conscious, to
whom can we
disclose the PHI?
a case-by-case basis. If you know
the client's preferences, as in “you
can tell my spouse, but not my sister,”
then document the request & follow it.
Otherwise, use your professional
judgment. Always use the Minimum
Necessary standard--disclose only
information that is directly relevant to
the person's involvement with the
client's healthcare. Once a client has
regained consciousness, he/she will
determine when & how to share
protected health information.
Q: If a client asks
for his/her PHI, do I
need any special
identification from
the client?
A: If the client is
asking for his/her
own information,
you need only to
verify his/her
identity.
Q: What if I
A: Check to see if this
get approached individual has been
by an someone
approved by the client
who just says
for disclosure of PHI.
he’s a friend of
If so, ask for one or more
pieces of identification,
a client?
including a picture ID.
A:
If you are asked to send or
Q: What about
leave messages, verify with
requests to leave
protected
information on
voice mail, an
answering
machine, or FAX
machine?
the client or other approved
individual that it is okay to
leave messages. Make sure
you confirm the number &
leave only the minimum
information necessary. Use a
cover sheet identifying the
proper recipient. Avoid
leaving sensitive information
in this manner.
A: Most often, faxed requests for
Q: What do I
do if I receive
a request for
PHI by FAX?
PHI will come from other
healthcare providers or payers,
like billing agencies or insurance
companies although clients may
occasionally ask to have
information faxed to them.
If a client, health provider, or payer
requests that you fax PHI, get a
specific fax number from them &
double-check the number before
sending.
A:
Ask
for
the
request
Q: What if
to
be
on
official
agency
someone from a
letterhead
&
call
back
government
the
indicated
number
to
agency sends a
verify
the
request
is
FAX asking me
legitimate.
for information?
A: In the event that a fax went
Q: What if I
find a FAX
went to a
wrong
number?
to a wrong number, try to
retrieve the communication
containing the PHI that was
faxed to the wrong number or
ensure that the information
has been destroyed in a secure
fashion.
A: It’s a good idea to
Q: Is there any
way I can make
the process
more secure?
program commonly
used FAX and telephone
numbers to diminish
potential dialing errors.
If possible, ask the
person to whom you’ve
sent a FAX to confirm it
was received.
A: When communicating
Q: What if I
receive a
request for PHI
on my pager?
by alpha pagers, send only
the minimum amount of
information necessary &
delete received messages
once no longer needed.
A: If you are asked not to
leave voice messages,
Q: What if I’m
do NOT do so. This is
not supposed
especially important with
to leave a
clients who may not want
message?
to share PHI with family
members, roommates, or
coworkers.
A: If your unit has
specific policies
Q: What if a client regarding email
requests that I
requests, follow them.
communicate with Otherwise, here are
him/her by email? some things you can
do…
EMAIL
1. Inform client not to use email for time sensitive
matters, as you may be out of the office or busy taking
care of other clients.
2. Make sure clients understand that email is not secure.
3. Verify the client's identity. Ask clients if they have an
email address when you see them face-to-face. You may
want them to complete a form authorizing email contact.
4. Do not initiate email with clients without first getting
their permission & use only the email address they
provided unless they notify you of a change.
5. If you receive any request by email, do not assume
the sender is the person he/she claims to be, especially
if the request is unexpected. If you have not previously
verified an email address with the client, contact either
the client to verify the sender’s identity & email address,
or contact the person making the request by another
method for verification of the email address. If in doubt,
talk to your supervisor. In general, be careful about
sending PHI in response to emails because of the
difficulty in identifying senders accurately.
6. Minimize the amount of information disclosed in an
email.
Q: What if
clients disclose
their PHI in an
email?
A: If clients disclose their
own PHI in an email to
you, you can discuss it.
However, you should
avoid disclosing
additional PHI in
return.
A: Yes, healthcare
employees
may
look
up
Q: Can I look up
their
own
records
if
they
my own records
have
access
to
the
online?
systems containing this
information.
A: It depends. You may
access a spouse’s PHI only
if you have your spouse's
Q: Can I look
prior written permission.
up information Otherwise, it is a serious
about my spouse violation. The same policy
or other family applies looking up family,
friends, or co-workers. You
members?
must get their prior
permission in writing.
A: It depends. Healthcare
employees are allowed to look up
the records of children in their
custody who are under 11 years old.
If your children are 11 years
Q: Can I look up or older, you do not have the right
my children’s
to look up their records & using
the computer to access information
records?
inappropriately is a serious
violation. You may, however,
request information from your
children's care providers.
A: Students working within
Q: What are a healthcare system must
the access
follow the same regulations
policies for
and policies as regular
employees.
students?
Q: I work with
temporary staff A: No, it is against policy to allow
who will be here
any staff, including temporary
only a short time. staff, to use another healthcare
They need
employee's computer access.
computer access to If you allow someone to use
do their work. Can your access, you will be held
I give them my
responsible for what they do.
password or log
Your department's authorized
signer can make the request for
them on as me?
new accounts.
A: Start by installing a
Q: What’s the
hard-to-break password,
first thing to do using a variety of letters
to protect PHI
and numbers, & consider
on a laptop or
having a serial number
PDA?
engraved on the PDA or
laptop to help deter theft.
A: Do NOT allow others,
Q: What else
such as family members,
can I do for
to use computer equipment.
security?
They might accidentally
access confidential
information.
Q: I’m going A: Use a secure erase
to dispose of
program to remove PHI
my laptop or
from all personally owned
PDA. Are there PDAs, laptops, or
special
computers BEFORE
precautions I
selling or otherwise
disposing of them.
should take?
A: Paper records containing PHI
Q: What’s the
safest way to
dispose of PHI
in the office?
should be disposed of in designated
confidential recycling receptacles, such
as the blue bins in many healthcare
facilities--not in the regular trash.
Ask for assistance with secure disposal
of non-paper records containing PHI,
like disks, radiographs & other types of
storage media. Never put them in the
regular trash.
In general, follow your department's
secure disposal procedures for using
secure disposal bins or shredding
documents.
A: The healthcare system
Q: What will
happen if the
PHI regulations
have been
violated?
may face civil or criminal
penalties and be substantially
fined. Further, employees who
knowingly misuse protected
health information may be
subject to prosecution, fines,
& imprisonment up to
ten years, in addition to any
disciplinary actions by their
employer.
U.S. Department of Health
& Human Services
www.hhs.gov/ocr/hippa
If you have questions or need additional
information, visit the official website
to take advantage of frequently
updated resources there.