Transcript HIPAA - Salina Regional Health Center

Committed To World Class Service
HIPAA:
YOUR GUIDE TO PRIVACY AND SECURITY
at
SALINA REGIONAL HEALTH CENTER
Revised October 2013
Committed To World Class Service
HIPAA - WHAT IS IT?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Until HIPAA was
passed, rules to protect personal health information did not exist. Congress saw HIPAA as an
opportunity to move health care into the electronic age. HIPAA sets national standards for the written,
oral, faxed, and electronic management of patient information. It is illegal to violate HIPAA.
HIPAA:
• requires healthcare organizations to notify patients of their health information rights.
• requires healthcare organizations to obtain patient consent before sharing protected health
information with others unless the information will be used for treatment, payment, or
healthcare operations.
• sets standards to protect the integrity, availability, and confidentiality of information.
WHO MUST ABIDE BY HIPAA?
Healthcare providers - hospitals, clinics, nursing homes, physicians, suppliers, and others who
furnish, bill, and/or are paid for providing healthcare services
Health plans - group health plans, health insurance issuers, Medicare, Medicaid, and all
governmental healthcare programs for military personnel, their dependents, veterans, etc.
Clearinghouses - billing services, repricing companies, "value-added" networks, etc., that are
involved in the processing of health claims
Confidential Information
Confidential information takes on many forms. It can be information printed on paper, or data
files stored on a computer, a hand-held device such as a smartphone, computer media, or
voice mail.
Regardless of the form it takes, you are responsible to protect it from unauthorized
disclosure or modification.
Committed To World Class Service
HIPAA VIOLATION PENALTIES
In addition to internal disciplinary action, HIPAA violations can lead to civil sanctions and
fines. Criminal penalties for "wrongful disclosure" could result in large fines and/or jail
time. Serious offenses include:
• knowingly releasing patient information. This can lead to one year in jail and a $50,000
fine.
• gaining access to health information under false pretenses. This can lead to five years in
jail and a $100,000 fine.
• releasing patient information with harmful intent or selling patient information. This can
lead to ten years in jail and a $250,000 fine.
Due to the Kansas Risk Management law, if an investigation determines that an employee has
committed a privacy violation, the violation will be reported to the employee's licensing agency.
REMEMBER - HIPAA VIOLATIONS CAN HAVE SERIOUS
CONSEQUENCES!
Committed To World Class Service
HIPAA- THINK ABOUT IT
In today's world, health information is easily transported and
increasingly accessible. Information management
technologies increase the risks and threats to the privacy of
personal health information. HIPAA provides a structure for
compliance with standards to protect the privacy and
security of health information.
No matter where you work (health center, lab, radiology, business office, doctor's office, volunteer
services, information technology, patients' homes, etc.), or whether you have a direct patient care role
or not, it is important to know the meaning of privacy, security, and confidentiality!
• As a student at SRHC, you are expected to keep privacy, security, and confidentiality central to
providing quality care.
• Remember that PATIENTS have the right to control who sees their health information.
• In the past, privacy, security, and confidentiality were considered to be ethical
obligations. Despite this, many situations led to health information ending up in the wrong
hands. HIPAA seeks to correct breaches of privacy, security, and confidentiality.
• REMEMBER - MAINTAINING PATIENT PRIVACY, SECURITY, AND CONFIDENTIALITY IS
THE LAW!
Committed To World Class Service
HIPAA: IMPACT ON CLINICAL PRACTICE
HIPAA has had a significant impact on clinical practice. HIPAA does the following:
• Gives patients more control over their health information.
• Sets boundaries on the use and release of health records.
• Establishes safeguards that healthcare providers and others must provide to protect the privacy of
health information.
• Holds violators accountable, with civil and criminal penalties that can be imposed if it is determined
that a patient's privacy rights were violated.
• Strikes a balance when public responsibility supports disclosure of some data to protect public health
(as in the case of child abuse).
HIPAA changes every facet of health care, including the way clinicians work, how data is accessed, how
healthcare information is stored and shared, and authorizations and consents. It is important that you:
• share or use only the minimum amount of health information necessary to communicate information
about patients.
• are aware of what patient information you are legally allowed to share and with whom.
• discuss a patient's personal health information in private.
• shred patient information instead of just throwing it in the trash.
• never leave patient information unattended in an area where unauthorized people can see it.
Committed To World Class Service
COMMUNICATION OF HEALTHCARE INFORMATION
HIPAA dramatically changes how healthcare information is communicated. Keep in mind:
• Display of patient information on a white board must be out of the view of the public.
• Phone communication requires more verification prior to giving out patient information.
• Communication with or about patients that involves sharing patient health information must be
conducted in private and limited only to those who need to know the information in order to provide
treatment, payment, and/or healthcare operations.
• It is important for you to know to whom patients have approved the release of personally identifiable
health information.
Committed To World Class Service
HIPAA- TERMS TO KNOW
Health Information (HI) - refers to information in ANY form (oral, written, electronic) related to an
individual's past, present, or future physical or mental health, including the services delivered and
the method of payment.
Protected Health Information (PHI) - refers to any individually identifiable health information
(IIHI) that is transmitted or maintained in any form.
Electronic Protected Health Information (EPHI) - refers to any individually identifiable health
information that exists in or is transmitted in electronic form.
WHAT IS IDENTIFIABLE INFORMATION?
• Names
• Addresses
• Employers
• Relatives' names
• Dates of birth
• Telephone & fax
numbers
• E-mail addresses
• Social Security
numbers
• Medical Record
numbers
• Member/account
numbers
• Certificate numbers
• Voice Prints
• Finger prints
• Photos
• Codes
• Any other
characteristics
which may be used to
identify an individual
(for
example, occupation)
Committed To World Class Service
DID YOU KNOW?
Patients are concerned about privacy. In a November 2000 Gallup Poll commissioned by Medic Alert:
• 77% of the people surveyed feel their personal health privacy is very important.
• 84% were somewhat to very concerned that their personal health information might be available
without their consent.
• 90% said they trust their doctor to keep their personal health information private and secure, and
66% said they trust a hospital to do the same.
• 42% said they trust their insurance company.
• Only 7% were willing to store or transmit personal information on the Internet, and only 8% felt a
web site could be trusted.
REMEMBER
• Healthcare providers are bound by
law to protect patients' privacy and
security. Increased access to
healthcare information leads to
increased risks for misuse.
Committed To World Class Service
MISUSE OF HEALTH INFORMATION
People assume that discussions they have with healthcare providers will remain private. They expect that
their private health information will not be shared inappropriately with others. When people don't trust
healthcare providers, they:
• do not obtain treatment.
• give incomplete or inaccurate information.
• try to pay for services out of pocket to prevent insurance claims.
• change healthcare providers frequently.
• ask physicians to NOT document actual conditions.
REMEMBER
Medical information is some of the most
sensitive and personal information that is
collected and shared. Privacy is central
to the healthcare provider/patient
relationship.
Committed To World Class Service
Sshhh: PRIVATE MEANS PRIVATE
If your role as a student requires you to discuss healthcare information with patients, be
sure to assess the environment before you start talking. Are there other people in the
area who might hear the information you are sharing? Are those people authorized to
hear the information you are sharing?
Patients have the right to expect that they can talk to their healthcare providers in private
and that their protected health information will be shared with (or overheard by ) only
those people they have authorized.
RESPONSIBILITIES
You should also use caution when discussing information with other providers involved in
a patient's care. Make sure that people who DON'T NEED TO KNOW about a patient's
medical condition don't hear your conversations.
Committed To World Class Service
HIPAA AND PATIENT RIGHTS
HIPAA regulations give patients the right to:
• determine who can see and hear their personal health information (PHI).
• inspect their medical records and, for a reasonable fee, obtain copies of those
medical records if they want them.
• restrict the use and release of information.
• file complaints based on violation of privacy rights.
• exclude their names from patient directories.
• request confidential or alternative communication methods.
• request a list of when and where their confidential information was released.
Committed To World Class Service
HIPAA AND CONFIDENTIALITY
REMEMBER
Information about patients is considered
confidential whether it is written, saved on a
computer, or spoken out loud. Information includes
name, address, age, social security number, past
medical history, reason for visit, etc.
As a student in a healthcare setting, it is important that you take steps to protect the privacy of
patients.
Committed To World Class Service
PROTECTING PRIVACY: IT'S EVERYONE'S JOB!
• Use care when you discuss patients' health information. Don't hold discussions in hallways, elevators,
cafeterias, or other public places in the health center. Always make sure that your discussions with
patients, staff, family members, etc., can't be overheard.
• Do not leave open charts, lab results, medications, or other sensitive information out in the open where
others can see it. Keep test results private.
• Do not use the intercom to provide health information to patients or other staff members.
• Make sure you know whether or not a patient has opted out of the directory.
• DO NOT GIVE HEALTH INFORMATION to family members or friends unless you are authorized by a
patient to do so.
• Keep records locked and accessible only to those people who need them in order to do their jobs.
• Make sure that posted or written information about patients can't be seen by the public
Committed To World Class Service
PROTECTING PRIVACY: IT'S EVERYONE'S JOB!
• Provide a private area for patients to discuss their health concerns, financial information, etc. with
physicians and other staff.
• Knock on doors before entering patient rooms. Draw privacy curtains and close doors when appropriate.
• If you are unsure about whether or not you should provide information about a patient, ask your supervisor
for assistance.
• If you overhear employees, students or observers discussing patients inappropriately, remind them of
confidentiality policies. Report problems if you know of them!
• When you leave a computer terminal, make sure you LOG OFF or LOCK the workstation to prevent others
from accessing patient information under your log-in. To lock the workstation, hit the Ctrl Alt Delete keys,
then click the "lock workstation" tab. SPECIAL NOTE: Keep in mind that if you share a computer
workstation with others (i.e. at a nurse’s station), it is best for you to log off the workstation when
you step away instead of locking it. If you lock the workstation, other staff will be unable to log in to
the workstation until you return and log off.
• WHEN YOU LOOK FOR INFORMATION ON PATIENTS, REMEMBER - ONLY SEEK INFORMATION
YOU NEED TO KNOW IN ORDER TO DO YOUR JOB PROPERLY.
Committed To World Class Service
THE "NEED TO KNOW" RULE
Patient privacy boils down to one main point - the "need to know."
Believe it or not, as a student at SRHC, you do not have the right to look at all the information available on
every patient. For example, a student on 3 Center does not have the right to look at the medical record of
a friend on 2 Center. Not all students need to see patient health information about patients, and some
only need to see partial patient information.
Before looking at patient information, ask yourself, "Do I need to know this to do my job?" If the answer is
"yes," you are allowed to access the information. If the answer is "no," access to the information is NOT
ALLOWED. You will be in violation of HIPAA regulations if you access patient information you don't NEED
TO KNOW in order to do your job.
Many students at SRHC do not have access to computer-based or written patient
information. Why? Because they don't need to know patient information in order to complete their
clinical/observation. If a fellow student asks you about a patient, only provide information if he/she is
directly involved in the patient's care and needs to know the information in order to appropriately care for
the patient.
Remember the SRHC rule of thumb - ask yourself, "Do I need to know this to do my job?" YOU
SHOULD NOT ACCESS ANY INFORMATION THAT YOU DO NOT NEED TO KNOW IN ORDER TO DO
YOUR COMPLETE YOUR CLINICAL/OBSERVATION.
Committed To World Class Service
HIPAA AND THE HOSPITAL DIRECTORY
The following protected health information can be maintained in a patient directory: name, location in
the hospital, condition described in general terms (good, fair, poor), and religious affiliation. SRHC must
inform patients of the protected health information that may be included in the directory and to whom it
might release the information (including clergy). SRHC provides patients with the opportunity to restrict
or prohibit some or all of the uses or disclosures.
• If a patient chooses to have his/her name published in the directory, then patient name, room number,
general condition (serious, poor, fair, good, etc.) will be given to people who ask for the patient by
name.
• If a patient chooses NOT to have his/her name in the directory, then mail will be returned, flowers will
not be delivered, and people asking for the patient by name will be told, "There is no one by that name
listed in our patient directory."
• Patients who do NOT want to have their names in the directory will be listed on the white board using
first and last initials. Additionally, a star should be placed by those patients' initials.
Committed To World Class Service
TIME OUT FOR PRACTICE
Hilda is observing on a unit in the hospital where Celia, a member of her church, is currently
hospitalized. Hilda knows that Celia's family could use some help with meals, transportation, and
babysitting. Hilda also knows that members of the church would be happy to help Celia's family, but the
problem is that nobody from church knows that Celia is in the hospital. Hilda can get Celia's family the
help it needs by making a quick phone call to the church.
In accordance with HIPAA regulations, Hilda should:
call her pastor, explain the situation, and
arrange to have healthy meals taken to Celia's
home for the next five days.
do nothing unless Celia gives her the
authorization to call the church and get help for
her family.
Click to the next screen to find out the correct answer.
Committed To World Class Service
TIME OUT FOR PRACTICE
Hilda is observing on a unit in the hospital where Celia, a member of her church, is currently
hospitalized. Hilda knows that Celia's family could use some help with meals, transportation, and
babysitting. Hilda also knows that members of the church would be happy to help Celia's family, but
the problem is that nobody from church knows that Celia is in the hospital. Hilda can get Celia's
family the help it needs by making a quick phone call to the church.
Before Hilda can call the church, Celia must give her authorization. If Hilda calls the church without
getting Celia's authorization, she is in violation of HIPAA regulations.
In accordance with HIPAA regulations, Hilda should:
call the church pastor, explain the situation, and arrange
to have healthy meals taken to Celia's home for the
next five days.
do nothing unless Celia gives her the authorization to
call the church and get help for her family.
INCORRECT
CORRECT
Committed To World Class Service
TIME OUT FOR PRACTICE
You hear a "Code Blue" called on the Mother/Baby unit, and you are curious to know who coded and
why. You know the unit secretary on Mother/Baby, so you call her to find out what happened.
According to HIPAA regulations, should the unit secretary give
you the information you are requesting?
Yes, because you tell her you won't share the information
with anyone else. You tell her you are just curious to
know what happened because it is unusual for someone
to code on the Mother/Baby unit.
No, she shouldn't give you any information unless you can
demonstrate a legitimate NEED TO KNOW. Any time
patient information is requested for purposes other than
treatment, payment, or operations, its release must be
authorized.
Click to the next screen to find out the correct answer.
Committed To World Class Service
TIME OUT FOR PRACTICE
You hear a "Code Blue" called on the Mother/Baby unit, and you are curious to know who coded and
why. You know the unit secretary on Mother/Baby, so you call her to find out what happened.
Based on the information provided in the scenario, you are seeking information out of curiosity. It doesn't
matter that you promise to keep the information to yourself. You do not NEED TO KNOW any information
about the patient who coded and why she coded; therefore, the unit secretary should not give you the
information you are requesting.
According to HIPAA regulations, should the unit secretary give you the information you
are requesting?
Yes, because you tell her you won't share the information
with anyone else. You tell her you are just curious to
know what happened, because it is unusual for someone
to code on the Mother/Baby unit.
INCORRECT
No, she shouldn't give you any information unless you can
demonstrate a legitimate NEED TO KNOW. Any time
patient information is requested for purposes other than
treatment, payment, or operations, its release must be
authorized.
CORRECT
Committed To World Class Service
KEY POINTS REGARDING TECHNOLOGY:
• Use the "NEED TO KNOW " rule before you access electronic personal health information. ONLY
ACCESS PATIENT INFORMATION YOU NEED TO KNOW IN ORDER TO PERFORM YOUR JOB
RESPONSIBILITIES.
• Once you log on to a computer workstation, ALL ACTIVITY UNDER YOUR LOG-IN IS TRACKED
AND ATTACHED TO YOUR NAME. Even if you are only stepping away from the computer terminal
for a brief time, it is very important that you protect yourself by either logging out of or locking the
workstation.
• To lock the workstation, hit the Ctrl Alt Delete keys, then click the "lock workstation" tab. If you forget
to log off or lock the computer workstation and someone uses that workstation to inappropriately
access patient information, you could be held responsible in the event a complaint is
filed. Why? Because the inappropriate activity will be attached to your log-in Remember, if you
share a computer workstation with others (i.e. at a nurse’s station), it is best for you to log off
the workstation when you step away instead of locking it. If you lock the workstation, other
staff will be unable to log in to the workstation until you return and log off.
• Make sure you enter information into the computer in a timely, accurate manner. Timeliness and
accuracy ensures that appropriate information is available for medical decision-making. For example,
failure to document a medication at the time it is administered could cause the medication to be
duplicated or could give the appearance of omission or chart tampering.
User IDs
Your user ID uniquely identifies you. You are responsible for all actions associated with
your user ID; therefore, it is important to ensure that your user ID is used only by you
and no one else.
You will be held responsible for the actions of another individual if you allow them to
obtain and use your user ID and password or allow them access to patient information in
a clinical application while you are logged on.
Committed To World Class Service
COMPUTER WORKSTATIONS
Take these steps if you work with computers:
• Angle your computer away from public access/view.
• Keep all PDA's, laptops, and media locked up when not in use.
• Log off the system at the end of the work day. Log-off or lock the workstation when you leave
your work area.
• Even if you don't share a computer with someone else, it is possible that someone could try to
illegally access information on your computer. Never leave secure information unattended while
you are logged onto a secure system.
• Never allow anyone to use a secure system for which he/she does not have
access after you have logged onto the system.
Committed To World Class Service
TIME OUT FOR PRACTICE
A classmate needs to look up information on a patient; however, you are currently logged into the
computer he needs to use. You tell him to "go ahead and look up the information" and then log off the
computer. Four months later, while checking up on a reported HIPAA violation, investigators discover
that patient information was inappropriately accessed under your log-in. The problem is, you know
you weren't the one who did it!
Do you have anything to be concerned about?
Yes, this is a problem for you because all activity conducted
under your log-in is tracked and attached to your name. If a
complaint is filed, you could be held responsible for
inappropriately accessing patient information.
No, there is no problem for you because even though the
information was accessed under your log-in, you weren't
the one who did it. All you have to do is tell investigators
that someone used your log-in to access patient records
inappropriately, and all will be OK for you.
Click to the next screen to find out the correct answer.
Committed To World Class Service
TIME OUT FOR PRACTICE
A classmate needs to look up information on a patient; however, you are currently logged into the
computer he needs to use. You tell him to "go ahead and look up the information" and then log off the
computer. Four months later, while checking up on a reported HIPAA violation, investigators discover
that patient information was inappropriately accessed under your log-in. The problem is, you know you
weren't the one who did it!
Remember, once you log into a computer, ALL ACTIVITY UNDER YOUR LOG-IN IS TRACKED
AND ATTACHED TO YOUR NAME.
Do you have anything to be concerned about?
Yes, this is a problem for you because all activity
conducted under your log-in is tracked and attached to
your name. If a complaint is filed, you could be held
responsible for inappropriately accessing patient
information.
No, there is no problem for you because even though the
information was accessed under your log-in, you weren't
the one who did it. All you have to do is tell investigators
that someone used your log-in to access patient records
inappropriately, and all will be OK for you.
CORRECT
INCORRECT
Personally Owned Devices
The IT department must approve any personally owned devices (including, but not limited
to, laptops, tablets, iPads, and digital cameras) prior to being connected to workstations or
the internal network.
SRHC offers a “guest” wireless network for our patients, visitors or contractors. You may
use personally owned devices with the guest wireless network on your personal time.
Texting and Cell Phones
Text messaging is not a secure form of communication.
Text messaging of confidential information is not allowed.
Taking pictures of computer screens containing confidential information is also not
allowed.
Reporting Security Incidents
Notify the IT Help Desk (extension 7792) and your supervisor if you become aware of or suspect
the following:
–
Theft of or damage to equipment
–
Unauthorized use of user passwords
–
Policy violations
–
Any other problems or questions with information security or patient privacy
The Omnibus Rule and Business Associates
•
•
•
The HIPAA Rules define “business associate” to mean a person who performs
functions or activities on behalf of, or certain services for, a CE that involve the use or
disclosure of PHI.
Disclosure means the release, transfer, provision of, access to, or divulging in any
manner outside the entity holding the information.
Access means the ability or means necessary to read, write, modify or communicate
data/information or otherwise use any system resource.
The Omnibus Rule
•
Applies to:
– Covered Entities (CE) refers to providers, hospitals, health plans
– Business Associates (BA)
– Subcontractors to Business Associates that handle Personal Health Information
(PHI) on behalf of Business Associates
Business Associates
•
BAs must comply with the technical, administrative, and physical safeguard requirements, as well
as the policies and procedures and documentation requirements, for ePHI under the HIPAA
Security Rule.
•
Direct liability for BAs under HIPAA would attach regardless of whether a BA, contractor and/or
subcontractors have entered into the required business associate agreements.
Committed To World Class Service
HIPAA: SUMMARY
As you go about your daily job tasks, keep HIPAA in mind. Think of every item of information or data
about any person who obtains service from SRHC as health information. As you deal with patients
and/or their information, keep in mind:
• What is the information?
• Who can hear or see the information?
• Where is the information going?
• How will the information be used?
• How will I keep track of the information?
• How and where is the information maintained?
Failure to protect patient information and
patient records by not following SRHC's
privacy policy can have a serious impact
on your status as a student at SRHC.
Committed To World Class Service
HIPAA: IF YOU HAVE QUESTIONS
• For questions about privacy issues at SRHC, contact Kallie Burgardt, Privacy
Officer, Ext. 6897.
• For questions about computer security issues at SRHC, contact Larry Barnes, Chief
Information Officer, Ext. 7703.
TO REPORT A BREACH OF PRIVACY OR SECURITY, CONTACT BECKY GROSLAND,
COMPLIANCE OFFICER, EXT. 7094.
If a patient believes his/her right to privacy has been violated, he/she can write a letter of
complaint and send it to SRHC or the U.S. Department of Health and Human Services. Contact
Kallie Burgardt for details. THERE IS NO PENALTY FOR FILING A COMPLAINT.
Committed To World Class Service
HIPAA
Our patients trust you to keep their information private and secure.
Remember, “Entrusted with people's lives, we are privileged
to provide quality healthcare service in a healing and spiritual environment."