THE HIPAA PRIVACY RULE
Download
Report
Transcript THE HIPAA PRIVACY RULE
HIPAA PRIVACY TRAINING FOR
ASSOCIATES
HAYS MEDICAL CENTER
CHRISTY STAHL, CPC
COMPLIANCE MANAGER &
PRIVACY OFFICER
2010
HIPAA
HMC’s Privacy Officer
is Christy Stahl. She is
responsible for the
oversight of HMC’s
compliance with the
HIPAA privacy
regulations. She also
investigates any alleged
privacy violations.
Associates
You will notice the term “Associates” is used throughout this
training. “Associates” is a broad term that represents all the
following individuals who are associated with HMC:
•
•
•
•
•
•
•
•
•
Employees
Volunteers
Students
Other trainees
Members of the Board of Directors
Locum Tenens
Contract Staff
Independent Contractors
Other persons whose conduct is under the direct control of HMC
(whether or not they are compensated by HMC for such
services)
HIPAA
LESSON ONE
Welcome to the introductory lesson on the
HIPAA Privacy and Security Rules
HIPAA
COURSE RATIONALE
In this course, you will learn about:
• Federal regulations concerning patient
confidentiality and computer security
• How those regulations impact your job
duties/training at HMC
HIPAA
COURSE GOALS
After completing this course, you should
• know the rules regarding the use and disclosure of
protected health information
• Understand safeguards to protect patient privacy
• Appreciate the importance of computer security
HIPAA
COURSE OUTLINE
Lesson 1 – this introductory lesson gives you the course
rationale, goals, and outline
Lesson 2 – provides an overview of the HIPAA Privacy and
Security Rules
Lesson 3 – explains the rules regarding use and disclosure of
patient information
Lesson 4 – addresses patients’ rights concerning their health
information
Lesson 5 – talks about safeguards to protect patient privacy
Lesson 6 – focuses on HIPAA Security Rule requirements
HIPAA
LESSON 2
Overview of the HIPAA Privacy and Security
Rules
HIPAA
Welcome to Lesson 2 for an overview of the HIPAA
Privacy and Security Rules
After completing this lesson, you should:
– Understand where the rules came from
– Appreciate why we have these rules
– Know the consequences of violating the rules
HIPAA
• HIPAA stands for the Health Insurance
Portability and Accountability Act of 1996
• HIPAA is a federal law that was enacted by Congress
and signed by the President in 1996
HIPAA
As part of the HIPAA law, Congress directed the
U.S. Department of Health and Human Services
(DHHS) to develop regulations that would:
protect patient privacy
protect the security of health information stored
and transmitted electronically
HIPAA
The final HIPAA Privacy Rule became effective in
April 2003
The final HIPAA Security Rule became effective in
April 2005
These rules regulate the way covered entities handle
protected health information
HIPAA
The HIPAA Privacy and Security Rules only apply to covered
entities
We refer to covered entities as CEs
There are three types of CEs:
Health Care Providers (e.g., hospitals, physicians, nursing
homes, pharmacies)
Health Plans (e.g., health insurance companies, employeesponsored health plans)
Healthcare Clearinghouses (organizations that process
insurance claims)
HMC is a CE, so the hospital, its physician clinics, and Associates
must comply with the HIPAA Privacy and Security Rules
HIPAA
The HIPAA Privacy and Security Rules
regulate how we safeguard, use, and
disclose Protected Health Information or
PHI.
PHI includes all individually identifiable health
information
PHI is not limited to paper documents. It includes
data and oral communications
HIPAA
Health information includes:
- Past, present, or future physical or mental health or
condition of an individual
- Provision of health care to an individual; or
- Past, present, or future payment for the provision of
health care to an individual.
HIPAA
Health information is individually identifiable
if:
- identifies an individual
- provides some basis from which someone could identify
an individual if they really wanted to
HIPAA
Examples of information that is considered
“identifying”:
- name, address, telephone number, fax number, email
address
- birth date, admission date, discharge date
- social security number, medical record number, account
number
- information about relatives, employers, etc.
- vehicle ID number, URL address
HIPAA
Examples of PHI
All of the following constitute PHI:
-
A lab test report that lists only the patient’s medical record number
-
A conversation between two nurses about the patient in Room 202
-
A message on an answering machine asking John Doe to call his
doctor’s office
-
A receipt for payment of an office visit co-payment
HIPAA
Consequences of violating the HIPAA Privacy and
Security Rules
- Significant government fines and penalties against HMC
- Up to $50,000 per violation
- Criminal penalties against the individuals involved in the
violation
- Expensive civil lawsuits brought by individuals against HMC
and its Associates
- Damage to HMC’s reputation in the community
- For licensed individuals (e.g., nurses, therapists), disciplinary
action by their licensing board
HIPAA
• Consequences of violating HMC’s HIPAA
policies:
- For HMC employees, disciplinary action by
HMC, up to and including termination
- For students, termination of their training at
HMC
- For contracted individuals, termination of their
contract with HMC
HIPAA
You have completed Lesson 2 on the purpose
of the HIPAA Privacy and Security Rules
HIPAA
Remember:
• The HIPAA Privacy and Security Rules regulate the way covered
entities safeguard, use, and disclosure protected health information
PHI is any information relating to a person’s health, healthcare, or
payment for healthcare services that contains something that could be
used to identify the person
• PHI is not limited to paper documents. It includes electronic data and oral
communications
• The consequences of violating these rules can be severe for HMC and its
Associates
HIPAA
Lesson 3
Uses and Disclosures of PHI
HIPAA
Welcome to Lesson 3 on uses and disclosures
of PHI
After completing this lesson, you should be able to:
- List uses and disclosures of PHI allowed under the
HIPAA Privacy Rule
- Recognize what must be included in written permission
for uses and disclosures
- Define “minimum necessary” use or disclosure
HIPAA
Competing Interests
The HIPAA Privacy Rule tries to balance two competing
interests:
- No. 1: protect patient privacy
- No. 2: allow the flow of PHI when needed to
ensure high quality healthcare and protect
public health
HIPAA
A CE cannot use or disclose PHI without the
patient’s authorization unless an exception applies
Exceptions are based on the purpose of the use or
disclosure, as opposed to the type of PHI involved
Lets look at some of those exceptions
HIPAA
Treatment, Payment, Health Care Operations
Use and disclosure of PHI is permitted without patient
authorization if the purpose of use or disclosure is
- treatment
- payment
- health care operations
HIPAA
Treatment
HMC may use and disclose PHI to treat its patients
HMC may disclose PHI to other healthcare providers
for them to treat their patients
HIPAA
Payment
HMC may use and disclose PHI to obtain payment
for services it provides.
HMC may disclose PHI to another CE as necessary
for that CE’s payment purposes
HIPAA
Health Care Operations
HMC may use and disclose PHI for health care operations, which include:
- management functions necessary to support treatment or payment
- quality assurance activities
- utilization review activities
- audits
- credentialing
Research activities and marketing do not qualify as health care operations
HMC may disclose PHI to another CE for that CE’s health care operations
only if that CE has a pre-existing treatment relationship with the
patient
HIPAA
Opportunity to Opt Out
HMC may use or disclose PHI in the following ways
without a written authorization if the individual
has the opportunity to agree to or prohibit or
restrict the use or disclosure:
- HMC may use a patient’s name, location in the facility,
religious affiliation, and condition described in general terms to
maintain a facility directory. HMC may disclose this
information to clergy or, with the exception of religious
affiliation, to other persons who ask for the person by name
HIPAA
- HMC may disclose to a patient’s family member, close
personal friend, or other person identified by the patient PHI
directly relevant to such person’s involvement with the patient’s
care or payment for services
- HMC may use or disclose PHI to notify a family member, a
personal representative of the individual, or other person
responsible for the individual’s care
HIPAA
Other Permitted Uses and Disclosures Without
Written Authorization
The HIPAA Privacy Rule includes several other
exceptions that permit use and disclosure of PHI
without written authorization
- as specifically required by law
- for public health activities (e.g., reporting disease or injury)
- to report victims of abuse, neglect, or domestic violence
- for health oversight activities by the government
- in judicial and administrative proceedings
HIPAA
Continued:
- for law enforcement purposes
- to disclose information to coroners, including medical
examiners, or for the purpose of cadaveric organ, eye and
tissue donations
- to avert a serious threat to health and safety
- to a funeral director as necessary to carry out duties with
respect to decedent
- for specialized governmental functions
- for workers compensation claims
HIPAA
Special Rules for Certain Types of
Disclosures
Use and disclosure of PHI for the following purpose
without an authorization is permitted in limited
circumstances
- marketing
- fundraising
- research
HIPAA
Special Rules for Certain Types of PHI
Certain types of PHI are subject to special
protections under state and federal law
- HIV/AIDS information
- records of treatment in a federally-assisted drug and alcohol
treatment program
- information relating to patients of community mental health
centers, community service providers, psychiatric hospitals,
or state institutions for the mentally retarded
Even if a particular use or disclosure is permitted without an authorization under the
HIPAA Privacy Rule, such use or disclosure may be prohibited under these rules
HIPAA
Authorizations
If no exceptions applies, HMC must obtain a written
authorization from the patient (or personal
representative) before using or disclosing the
patient’s PHI
HIPAA
Authorization – Required Elements
To be effective, a written authorization must include:
-
Description of PHI to be used or disclosed
Description of the purpose of the use or disclosure
Description of the persons or class of persons that may use PHI or to
who the PHI may be disclosed
Revocation and re-disclosure instructions
Notice that HMC must treat the patient regardless of whether
authorization is given
Expiration date or triggering event
Individual’s signature or personal representative’s signature and
authority
HMC has a standard Authorization Form it uses to release PHI.
HIPAA
• Breach Notification
– If a patient’s PHI is breached, HMC must provide specific
written notice of such breach to that patient within 60 days
of discovery
– Must submit annual reports to the government
– Breach = improper use or disclosure + potential for harm to
the individual
– HMC must review every improper use or disclosure to
determine if it constitutes a breach
– Failure to document such review = HIPAA violation
• Associates must report all improper uses or
disclosures of PHI to HMC’s Privacy Officer
HIPAA
Minimum Necessary Rule
Any use or disclosure must be limited to the
minimum amount of information necessary to
accomplish the specific purpose of the use or
disclosure.
HIPAA
The minimum necessary rule does not apply to:
- uses and disclosures for treatment purposes
- uses and disclosures made pursuant to an
authorization
- disclosures to the person who is the subject of the
information
- disclosures required by law
HIPAA
Associate Access to PHI
An Associate may access or discuss any patient’s
PHI only to the extent necessary to perform
his/her job duties
An Associate who accesses or discusses any
patient’s PHI (including family members) without
a legitimate job-related reason for doing so will be
subject to discipline up to and including
termination
HIPAA
What To Do If You Have Questions
The rules concerning use and disclosure of PHI can
be confusing
If you have a question concerning these rules,
contact HMC’s Privacy Officer, Christy Stahl
- 785-623-2188 work #
- 785-623-1821 cell #
- [email protected]
HIPAA
You have completed Lesson 3 on uses and
disclosures of PHI
HIPAA
Remember:
-
you cannot use or disclose PHI without written authorization unless an
exception applies
uses and disclosures for treatment, payment, and health care operations
are permitted
there are several other exceptions that apply in specific circumstances
a written authorization must contain specific information to be valid
All improper uses or disclosures of PHI must be reported to the
Privacy Officer to determine if breach notification is required
an associate who uses or discloses a patient’s PHI without a job related
reason for doing so will be disciplined
Seek guidance from your supervisor or the Privacy Officer before
disclosing any protected healthcare information to a police officer
if you have questions concerning uses and disclosures of PHI, contact
HMC’s Privacy Officer
HIPAA
Lesson 4
Patients’ Rights Concerning Their PHI
HIPAA
Welcome to Lesson 4 on patients’ rights
concerning their PHI
After completing this lesson, you should be able to:
- identify patients’ rights concerning their PHI
- assist a patient who wants to exercise one of those rights
HIPAA
Right to Access PHI
HMC must give a patient access to inspect and copy
his or her PHI maintained in a designated record
set
A patient wanting access must submit a written
request to the Medical Records Department
HIPAA
Right to an Accounting
A patient may request accounting of HMC’s uses and
disclosures of the patient’s PHI made within the last 6
years
Such an accounting does not include uses or disclosures for
treatment, payment, or health care operations or uses and
disclosures authorized by the patient
A patient wanting an accounting must submit a written
request to the Privacy Officer
HIPAA
Right to Request Amendments
A patient can request that PHI be amended if he or
she believes it is not accurate
HMC can deny such request if the information is
accurate and complete or not created by HMC
A patient seeking an amendment must submit a
written request to the Privacy Officer or to the
Medical Records Department
HIPAA
Right to Request Restrictions
A patient may request HMC restrict those uses or
disclosures permitted without authorization
Such request must be made in writing to the Privacy
Officer or to the Medical Records Department
HMC is not required to agree to such request
HIPAA
Right to Receive Confidential
Communications
A patient may request that HMC communicate with him or
her by alternative means or at alternative locations (e.g.,
only contact the patient at a certain telephone number)
HMC must abide by all reasonable requests
If a patient makes such a request to you, make sure such
request is communicated to the appropriate people and
documented appropriately
HIPAA
You have completed Lesson 4 on patients’
rights concerning their PHI
HIPAA
Remember:
A patient has the right to:
-
access his/her PHI
obtain an accounting of HMC’s disclosures of his/her PHI
request an amendment to his/her PHI
request restrictions on uses and disclosures permitted
without an authorization
- receive confidential communications
HIPAA
Lesson 5
Administrative Requirements
HIPAA
Welcome to Lesson 5 on administrative
requirements
When you complete this lesson, you should be able
to:
- identify the administrative requirements the HIPAA
Privacy Rule imposes on HMC
- understand the importance of following safeguards to
prevent improper disclosures of PHI
HIPAA
Notice of Privacy Practices
• HMC must give all of its patients a written Notice
of Privacy Practices
• Patients are requested to sign an acknowledgement
of receipt
• A copy of the Notice is available on HMC’s
website, www.haysmed.com
HIPAA
Safeguards
All Associates must follow safeguards to prevent
improper uses and disclosures of PHI
As part of your work, you will have conversations
with patients, family member, co-workers
involving PHI. You must take care to avoid others
overhearing those conversations
Never leave documents containing PHI unattended
where they could be accessed by unauthorized
persons
HIPAA
Safeguards (Cont.)
Never share your computer password with anyone
else
Never allow anyone else to use your computer
password
If you have reason to believe the security of your
password has been compromised, notify the
Privacy Officer immediately
HIPAA
Safeguards (Cont.)
Always wear name badges to prevent unauthorized
individuals from having access to PHI
Confirm identity of person with whom speaking
and follow procedures when leaving messages
Keep all PHI within an HMC facility unless job
duties specifically require otherwise (this is the
rule, not the exception)
HIPAA
Safeguarding Electronic PHI (e-PHI)
Computer Security Measures:
▪ Passwords and access codes
▪ Audit logs
▪ Physical location of equipment
▪ Firewalls, virus detection
▪ Password-protected screensavers
▪ Removal and destruction
▪ User profiles
▪ Encryption
▪ Data back-up
HIPAA
Other Administrative Requirements
To comply with the HIPAA Privacy Rule, HMC
must:
- discipline Associates, Vendors, and Agents that violate the
HIPAA Privacy Rule
- maintain a complaint/grievance process for complaints
about HIPAA Privacy Rule violations
- take action to mitigate any bad effect of inappropriate
disclosure or use of PHI to the extent possible
HIPAA
Reporting Concerns
If you believe there has been a violation of the
HIPAA Privacy Rule, report that information to
the Privacy Officer as soon as possible
HIPAA
Prohibition on Waiver and Retaliation
HMC will not require any person to waive his or her
rights under the HIPAA Privacy Rule as a
condition of treatment or payment of benefits
HMC strictly prohibits any sort of retaliation,
intimidation, or discrimination against persons
exercising their rights under the HIPAA Privacy
Rule
HIPAA
You have completed Lesson 5 on the HIPAA
Privacy Rule’s administrative requirements
HIPAA
Remember:
- you must act to protect patient confidentiality
- you will be disciplined if you do not follow proper
safeguards
- you must report suspected violations of the
Privacy Rule to HMC’s Privacy Officer
HIPAA
Your responsibilities:
•
•
•
•
Comply with the HIPAA Privacy Rules
Follow the Confidentiality Agreement
Do not take any PHI out of the facility
Do not access your medical record or the medical record of
your family members on your own – make request at the
Medical Records Department (Health Information
Management)
• Do not access any medical records unless your job/training
requires you to access a patient’s medical record
• Do not have an Associate, Physician, or any other person
access a record for you
HIPAA
Your responsibilities:
•
•
•
•
Do not view patient status boards for other departments
Never text any information about a patient
Do not discuss patients with persons outside HMC
Do not discuss your training experience at HMC on
Facebook, MySpace or Twitter…………….even if you do
not mention patient names
• Associates that are students must de-identify all
information used, unless your HMC supervisor gives you
approval to obtain an authorization from the patient