Transcript HIPAA Privacy Compliance

HIPAA Privacy Education for Physicians
The following course may be used to fulfill Lifespan’s HIPAA
privacy awareness training requirements by physicians.
Check with your Department Chair to make sure that you
have permission to take this course and to determine if there
are additional HIPAA training requirements you must
complete.
Please note that there is also an Office of Research
Administration training course that may be more applicable
for physicians performing research.
You must take the test accompanying this course
to fulfill your HIPAA awareness
training requirement.
HIPAA
The Health Insurance Portability and Accountability
Act (HIPAA) was enacted by Congress in 1996.
HIPAA has many components, one of which is its
Privacy Rule.
After much Congressional delay HHS implemented
the final Privacy Rule on April 14, 2003. It requires
that:

Training be tailored to address the specific
functions that Lifespan physicians perform.
HIPAA Expectations of Lifespan
Employees Including Physicians
► Use
or disclose Protected Health Information (PHI)
only for work related purposes
► Limit uses and disclosures to the “minimum
necessary” to achieve those work purposes
► Exercise reasonable caution to protect PHI under
your control
► Understand and follow Lifespan’s privacy policies
► Try to remedy any privacy problems or to report
them to the Privacy Officer at 401-444-4728 or via
a confidential email to [email protected]
HIPAA Expectations of Lifespan
Employees Including Physicians
► Note
that “incidental uses and disclosures” are
inevitable and do not violate the privacy rule as
long as reasonable precautions are taken
► Understand that reasonable limits and efforts,
appropriate to the circumstances are all that
HIPAA requires
► Recognize that Lifespan will not retaliate or
discriminate against any patient or worker who
express a privacy concern.
Key Lifespan HIPAA Documents
In addition to the material contained in this
presentation you may want to review the following
important HIPAA documents/policies.
Lifespan Joint Privacy Notice
 Incidental Disclosure of Protected Health
Information
 Verifying Identity and Authority of Requestor
 Privacy Related Complaints
 Prohibiting Intimidating or Retaliatory Acts

This information is contained on the Compliance web
page: http://intra.lifespan.org/compliance/
The Privacy Rule
►
►
►
►
Ensures nationwide uniform procedural protection for all
health information
Imposes new restrictions on the use and disclosure of
protected health information (PHI)
Gives patients greater access to their medical
records
Provides patients with more control over their
health information
What is Protected Health Information
(PHI)?
When a patient gives personal
health information to Lifespan,
that information becomes PHI.
Examples of PHI
Examples of information that might connect
personal health information to the individual
patient include:
 The individual’s name or
address
 Social Security or other
identification number
 Physician’s personal notes
 Billing information
What are the Rules for Use/Disclosure
of Protected Health Information?
HIPAA’s Privacy Rule is all about the use and
disclosure of PHI. PHI can’t be used or disclosed by
anyone unless it is permitted or required by the
Privacy Rule.
PHI is used when:
 Shared
 Examined
 Applied
 Analyzed
PHI is disclosed when:
 Released
 Transferred
 In any way accessed
by anyone outside of
the covered entity
Lifespan employees are permitted to
use or disclose PHI for:




Treatment, payment, and
healthcare operations
With authorization or
agreement from the individual
patient
For disclosure to the individual
patient
For incidental use such as
physicians talking to patients
in a semi-private room.
Lifespan’s Joint Privacy Notice
The Lifespan Joint Privacy Notice is a required
document which is provided to all patients
receiving direct care after April 13, 2003.
It describes how PHI may be used and disclosed by
Lifespan and how patients can get access to this
information.
 Patient’s must acknowledge receipt
of the Notice in writing, if possible.
 Copies are kept of all notices and
acknowledgements.

Lifespan’s Joint Privacy Notice describes…
1.) Who we are
“Lifespan is a single covered entity that can share patient information
across affiliates.”
2.) Our pledge to protect health information
3.) How we may use and disclose PHI – For instance, we do
not need patient authorization to use PHI for treatment,
payment and healthcare operations.
“As an example, a doctor treating a patient for a broken leg may need to
know if the patient has diabetes because diabetes may slow the healing
process. Different healthcare professionals may share the patient’s
medical information in order to coordinate the different
treatments/procedures needed, such as, lab work, x-rays and
prescriptions. Also, in order to coordinate the patient’s care the hospital
may share the patient’s information with a physician to which the patient
is being referred.” – No Authorization is needed .
Lifespan’s Privacy Notice describes…
4.) When Patient Authorizations are required or the patient
has an opportunity to object, for example
►
►
To being placed on the Hospital Directory
For marketing, research activities etc.
5.) Patients Rights regarding their PHI – specifically, patients
have rights to:
►
►
►
►
►
Request Restrictions
Request confidential communication
Inspect and copy their PHI
Amend their PHI if incorrect
Receive an accounting of non-routine
disclosures of PHI
Lifespan’s Privacy Notice describes…
6.) Who to contact with inquiries or complaints.
In many cases the Privacy protections outlined in the
Privacy Notice were already in place because RI law is often
more stringent than the Privacy Rule.
►The RI State law pre-empts the Privacy Rule
What is Minimum Necessary?
In general, use/disclosure of PHI is limited to the
minimum amount of health information necessary to get
the job done. That means:
 Lifespan has developed policies and practices to make
sure the least amount of health information is shared
 Employees are identified who regularly access PHI
 The types of PHI they need and the conditions for
access are approved
See the policy entitled Minimum Necessary Protected
Health Information for more information
General Rule: If you have no need to review the PHI
then stop!
What is Minimum Necessary?
The Minimum Necessary Rule
does not apply to
use/disclosure of medical
records for treatment, since
healthcare providers need the
entire record to provide
quality care.
Per HHS disclosure of PHI
that exceeds the minimum
necessary standard is one of
the areas receiving the
greatest number of patient
complaints.
Privacy Practices Designed to Protect PHI:
►
All Lifespan professional staff have an obligation to follow
these general practices, which are designed to limit
inappropriate disclosures.
1.) Follow IS guidelines designed to minimize access to
our computerized systems; specifically,
never give out your password;
 never post your password where it
can be seen by others;
 never use another person’s password;
 avoid passwords that can be easily
guessed;
 only access systems when you have a
legitimate need.

Privacy Practices Designed to Protect PHI:
2.) Release PHI only after verifying the identity and authority
of the requestor.
3.) Ensure that PHI is appropriately discarded by such means
as shredding.
 Remove PHI from laptops and home computers.
4.) Limit faxing PHI,




only fax to a designated protected fax machine;
confirm the fax number;
verify receipt of the fax;
use a confidential cover sheet.
5.) Limit PHI in E-mails, going out on the internet, unless passwords or
other authentication mechanisms are appropriately used.
Privacy Practices Designed to Protect PHI:
6.) Transmit PHI by telephone only when it can not be
overheard,
 the recipient should be identified
before PHI is released;
 messages left on a phone should be limited
to the name of the person, a request that the
call be returned and the name, and telephone
number of the person placing the call.
7.) When performing physical examinations, take steps to
ensure confidentiality; for example, ask non essential
persons to step outside.
8.) Use cell phones in discrete areas; conduct conversations
in a low voice.
Privacy Practices Designed to Protect PHI:
9.) Don’t discuss PHI in public areas such as hallways,
elevators, cafeterias.
10.) Limit public access to computer monitors which may
contain PHI.
11.) Keep medical records in a secure location, locked room,
or locked cabinet.
Incidental Use and Disclosure
The Privacy Rule recognizes that “incidental use and
disclosure” is inevitable and is not a violation if Lifespan has
implemented reasonable safeguards.
►
Lifespan’s Incidental Disclosure policy describes general privacy
practices which are deemed to be reasonable safeguards.
Misuse of PHI
Misuse of PHI can result in civil and criminal
sanctions:
Inadvertent violations up to $25,000 per year per each
violation.
Deliberate violations up to $250,000 fine and prison sentence
of up to 10 years.
Examples of Misuse of PHI
The HIPAA Privacy Rule is designed to minimize
careless or unethical disclosures of health
information, for example.
 A South Dakota medical student took home copies of 125
patients’ psychiatric records to work on a research project.
When finished, he disposed of the material in the dumpster
of a fast food restaurant, where they were found by a
newspaper reporter.
 In Florida, several hundred hospital workers browsed
through the records of a famous patient that had recently
come to the facility, even though few of them were actually
involved in the case.
Examples of Misuse of PHI
A Montana hospital posted
over 400 psychiatric
records of 62 children on
its public web site where
they remained for weeks
until they were discovered
by a newspaper reporter.
 A Florida county health
department worker copied
lists of HIV patients,
distributed the information
to his friends and sent the
information to a local
newspaper.

Specific Privacy Risk Area
Minors/Emancipated Minors
►
►
►
Confidentiality depends on competency of
person receiving care. If you believe that the
minor patient had the right to consent to care,
it is reasonable to maintain the minor’s
confidentiality.
RI Law - under 18 may consent for routine
emergency care; testing , examination
and/or treatment for any reportable
communicable disease - HIV, STD’s, etc.
Emancipated - any minor who lives away
from home with parent permission but without
parent support may consent to his/her own
treatment.
Key Points
No Lifespan patient will be penalized for filing a complaint
or exercising their rights.
 No adverse action will be taken against any employee or
professional staff member who reports to the Privacy
Officer in good faith, any violation or threatened violation
of the Privacy Rule or related policies.
 Lifespan affiliate staff will investigate all patient complaints
within a reasonable amount of time.
 Lifespan employees and professional staff members can
pose their concerns or questions directly to their supervisor
or to the Privacy Officer, Tom Igoe, 401-444-4728.

The Privacy Office can be anonymously contacted via the Response Line
1-888-678-5111 or by using the confidential email site:
http://intra.lifespan.org/compliance/Form.htm