1oct2013 new hire privacy training - omnibus

Hea

lth

In

sura

nce

Po

rtab

ilit

y &

A

cco

un

tab

ilit

y A

ct(H

IPA

A)

(FO

R “

NE

W H

IRE

S”)

1

2

• Designated Privacy Officer• Provides training & education• Investigates and responds to incidents

and privacy complaints• Performs other HIPAA related

functions

• 18 years at IMC, nearing 30 years in healthcare

IMC’s Privacy OfficerRoxane C. Martin, RHIA

Privacy Oversight

HIPAA

Title 1

PORTABILITY(1996)

TITLE II

ADMINISTRATIVESIMPLIFICATION(1998 – FUTURE)

Transactions Code Sets

Identifiers SECURITY

PRIVACY

Title III (Medical Savings Accts)Title IV (Group Health Plans)

Title V (Medical Savings Accounts)

Health Insurance Portability and Accountability Act

HITECH

4

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009 to promote the adoption and meaningful use of health information technology. The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information by strengthening the enforcement of the HIPAA rules and requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.

5

WHAT IS COVERED BY THE PRIVACY RULE?

2

6

PROTECTED HEALTH INFORMATION (PHI)

Any information that identifies an individualAND relates to his/her past, present, or futurephysical or mental health or condition or relates to the past, present, or future payment for the provision of health care for that individual.

Includes oral, written, and electronic information

7

DATA ELEMENTS THAT ARE CONSIDERED TO BE “INDIVIDUALLY IDENTIFIABLE”

Patient name Address Zip code (can use 1st 3

digits for populations over 20,000, else “000” as 1st 3 digits)

Dates of birth/death/admit/discharge

Ages over 89 – unless grouped into single category of 90+

Phone & fax numbers Email addresses Social security number

Medical record number, policy number, account number

Certificate/license number Vehicle identifiers Device identifiers/serial #’s URLs, IP addresses, Biometric identifiers

(finger/voice prints) Face photographic images Any other unique identifying

number, characteristic, or code [room number ?]

8

CIVIL AND CRIMINALPENALTIES

9

MONETARY FEES & JAIL-TIME!! With the enactment of HIPAA, a patient’s right to

have his/her health information kept private and secure became more than just an ethical obligation of physicians and hospitals – it became the LAW!! Under HIPAA’s privacy and information security sections, it is illegal to release health information to inappropriate parties or to fail to adequately protect health information from release. Breaking HIPAA’s privacy or security rules can mean monetary fines or jail time!!

There are civil penalties and criminal penalties

3

Enforcement and Penalties for Noncompliance

The HHS, Office for Civil Rights is responsible for administering and enforcing the HIPAA Privacy Rule and HIPAA Security Rule and may conduct random audits, and investigate complaints and breach reports. Covered entities and business associates that fail to comply with the HIPAA rules may be subject to civil money penalties. The HITECH Act significantly increased the penalty amounts the HHS Secretary may demand for violations, up to $1.5 million per year for each violation and encourages quick corrective action by the covered entity or business associate.

10

DON’T: Overlook the severity of HIPAA Violation Penalties

According to HHS, the majority of HIPAA violations from recent years have occurred from employees mishandling PHI, many of which stem from inappropriate social sharing. Violations under the HIPAA Privacy Rule include Civil Money Penalties which can result in fines ranging from $100 – $1,500,000 or Criminal Penalties which can result in fines up to $250,000 and up to 10 years in prison. Other consequences of violating HIPAA include lawsuits, the loss of a medical license or employee termination.

11

Monetary Fines under HIPAA Omnibus Rule

1213

BREACH NOTIFICATION

4

When a HIPAA breach occurs, the following steps should be taken:

Report to your compliance officer a brief description of what happened, including the date of the breach, if known, and the date of the discovery of the breach. This will be important when providing notification to the affected individual(s).

The notice must advise individuals of the CE’s obligation to notify them if their PHI is affected by a breach.

If it is determined a breach has occurred, covered entities and their business associates are required to provide notification following a breach of unsecured protected health information. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

In addition, your compliance officer will ensure appropriate notification procedures are followed including providing notice to the secretary of HHS and to the media if it is a breach involving greater than 500 individuals.

Employees involved in the breach should (at a minimum) be re-trained on HIPAA Privacy, HIPAA Security and any additional social media policies and procedures.

14

Understand what is considered a HIPAA violation on social networks

Under HIPAA, a breach or violation is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).

15

Common examples of social media HIPAA violations include: Posting verbal “gossip” about a patient to unauthorized

individuals, even if the name is not disclosed.

Sharing of photographs, or any form of PHI without written consent from a patient.

A mistaken belief that posts are private or have been deleted when they are still visible to the public.

Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.

1617

IBERIA MEDICAL CENTER’S

SANCTIONS

5

18

IMC IS SERIOUS!!!

IMC is committed to protecting patient privacy and confidentiality. When you fail to protect patient information and patient records by not following IMC’s privacy policies, it can have an impact on your ability to do your job, your status with the organization, and your license to practice.

Think very carefully before using and releasing patient information!

19

IMC’S DISCIPLINARY POLICY In reference to IMC’s Policy # : HR- O1-8.6 “Discipline

and Standards of Conduct“ the following actions are “critical offenses” that justify immediate termination:

2.2.13 Unauthorized access or copying of hospital records, including patient medical charts or unauthorized release of information, including deliberate disclosure of confidential hospital or patient information.

2.2.17 Any breach of hospital confidentiality(patient, hospital, or employee information).

3.2.10 “Unauthorized release of information to the news media” is a “critical offense” which may require immediate suspension.

20

THE PATIENT’S RIGHTS

21

The Patient’s Rights Right to opt out of our “Directory”

Right to limit the family members/friends we disclose information to (when in room with pt)

Right to inspect and copy

Right to request amendments

Right to an accounting of disclosures

Right to request restrictions

Right to receive confidential communications

Right to a paper copy of our “Privacy Notice”

(See attached Directory information and IMC Privacy Notice)

6

22

The Patient’s Rights Right to request amendments

Amendment. The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is OCR Privacy Rule Summary 13 Last Revised 05/03 inaccurate or incomplete. 58

If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual’s detriment.59

If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Rule specifies processes for requesting and responding to a request for amendment. A covered entity must amend protected health information in its designated record set upon receipt of notice to amend from another covered entity.

23

Patient’s right to a PAPER COPY:

ANYONE can request a copy of our notice at any time, even if he agreed to receive it electronically, and even if he is not or never will be a patient.

Our most current notice can always be obtained from our website, from any Registration area of the hospital and each of our healthcare delivery sites, or by mailing a written request and self-addressed, stamped envelope to our privacy officer.

24

Patient has to be given a “NOTICE

of Privacy Practices”

25

NOTICE OF PRIVACY PRACTICES

It’s important that patients understand how THEY can protect their own health information and how WE protect it. Thus, HIPAA requires that providers post notices telling patients how their information will be used.

The “Notice of Privacy Practices” tells patients how we will use their information, and it tells the patients about their privacy rights.

7

26

Patient’s right to a PAPER COPY:

ANYONE can request a copy of our notice at any time, even if he agreed to receive it electronically, and even if he is not or never will be a patient.

Our most current notice can always be obtained from our website, from any Registration area of the hospital and each of our healthcare delivery sites, or by mailing a written request and self-addressed, stamped envelope to our privacy officer.

27

WAYS TO PROTECT PATIENT

CONFIDENTIALITY

28

Minimum Necessary: Who is authorized to see information? Although every employee contributes to the quality

of care, that doesn’t mean that everyone needs to see health information about patients.

If you have not been given access to patient information – either in the computer or on paper – it is because your supervisor feels that you do not need to know. That means you should not look at medical records, either in the computer or on paper.

If you feel that you need access to more information than given, contact your supervisor, who will work with the Information Systems department and/or Privacy Officer in obtaining the additional access.

29

Minimum Necessary – continued

There will be occasions when you will have access to more confidential information than you truly need to do your job. For example, if a patient is placed in an isolation room, you may be able to figure out what type of illness that patient might have. This is confidential information about a patient, and you should not share it with anyone else.

8

30


Another example of confidential information is the information about a patient’s condition that you see written on whiteboards around the hospital. The information contained on these boards is used for giving care to patients. It is recorded in places where the public generally will not see it, but you may work in areas where this is visible. You must keep this information confidential and not disclose it to anyone (including coworkers, other patients, visitors, or anyone who may ask).

31


In the course of doing your job (cleaning a patient’s room, transporting a patient), you may also find that patients speak to you about their condition. There is nothing wrong with this, but you must remember that they trust you to keep what they tell you confidential. Do not pass it on!

32


Before looking at any patient information, ask yourself the following:

“Do I NEED this to do my job?”

“What is the LEAST amount of information I need to do my job?”

Minimum Necessary means “appropriate access”

IMC Policy: Definition of Confidential Information, Examples of Appropriate Vs Inappropriate Access

33

9

34

EXAMPLES OF “INAPPROPRIATE ACCESS” Viewing a friend’s, neighbor’s, or co-worker’s

medical or financial information when you are not performing a work duty (medical care, billing, other hospital function) (i.e. for curiosity’s sake or personal use)

Viewing your spouse or adult child’s records without their authorization

Viewing your own test results without following proper procedure (going to the HIS department)

35

EXAMPLES OF “INAPPROPRIATE ACCESS” Viewing a fellow employee’s medical or

financial information – even if he/she requests you to do so - if you are not an employee of the HIS or Business Office departments and your job duties do not include disclosing or discussing such information with patients (Lab & Xray staff)

PHYSICIANS: Viewing medical records of patients who are not assigned to them or their call-group.

36

MAINTAINING RECORDS

When patient information is in your possession, you are responsible for safeguarding it. Do not leave it unattended in an area where others can see it. This is especially important in public buildings, areas where treatment or other healthcare services are provided, and areas with heavy pedestrian traffic.

37

Maintaining Records, continued:

When you are finished using paper patient information, return it to its appropriate location (medical records department, file slot at a nursing station, etc).

When you are finished looking at electronic patient information, back out to a screen that does not contain the patient’s name, or log off of the system if you will be away from it. Do not leave the information visible on an unattended computer monitor.

10

38

Maintaining Records, continued:

When discarding paper patient information, make sure the information is shredded or locked in a secure bin to be destroyed later. Leaving paper patient information intact in a wastebasket could lead to a privacy breach.

39

MORE WAYS TO PROTECT PATIENT CONFIDENTIALITY: Knock on a door and ask to enter before

entering a room. Close patient room doors when discussing

treatments and administering procedures. Close curtains and speak softly in semi-

private rooms when discussing treatments and administering procedures.

Do not discuss patients in elevators, hallways, or cafeteria lines.

40

More ways to protect patient confidentiality, cont’d: Do not page patients using information that

can allow others to identify the patient’s condition or reason for being here.

If visitors ask you for information about a patient, direct them to the information desk (PBX) for assistance rather than giving out patient names or locations yourself. If you have access to the hospital’s directory, check it to ensure the patient has agreed to be listed before you disclose any information.

41

More ways to protect patient confidentiality, cont’d:

Keep patient records locked away and out of public areas. If you find records unattended, return them to the medical records department, charge nurse, or nurse supervisor.

Do not post notes containing patient information where the public can see them (bulletin boards, sticky notes on computers).

11

42

More ways to protect patient confidentiality, cont’d:

Do not leave messages regarding patient conditions or test results on answering machines or with anyone other than the patient.

Direct all news media inquiries to administration! (TV, radio, newspaper)

43

“AUTHORIZATION”

44

AUTHORIZATION: An authorization is a written agreement,

voluntarily signed by the patient, that allows PHI about the patient to be used by a specified party or disclosed to a specified party for a stated purpose.

Patients have the right to revoke their authorization at any time.

Providers may NOT refuse to treat patients who won’t sign an authorization form.

45

AUTHORIZATION REQUIRED Authorization is NOT required when the

use/disclosure is for TOP (Treatment, Operations, or Payment.

Authorization is NOT required for those times we are permitted or required by law to disclose information (see “exceptions”).

Authorization is always needed for release of psychotherapy notes, even if being used for treatment or payment (not applicable for IMC).

12

46

HEALTH CARE OPERATIONS

Any of the following activities in which a covered entity participates:

Quality assessment and performance improvement

Case management

Competency reviews, certification, licensing, and credentialing activities

Legal services and auditing functions, including fraud & abuse detection & compliance programs

Business planning & development

47

“EXCEPTIONS”(LAWS WHICH REQUIRE OR PERMIT USE/DISCLOSURE

WITHOUT AUTHORIZATION)

48

EXCEPTIONS: There are some cases in which the law

mandates that certain health information be reported about patients. In these cases, the facility has a responsibility to release information, regardless of whether the patient agrees.

49

EXCEPTIONS: Unless reporting of the information which

follows is part of your job, you should not report this information yourself!!

If it IS your job to report the following, the Privacy Officer is to be notified so that the disclosure can be accounted for. (We’ll discuss “accounting” and how to notify the Privacy Officer later).

If ever in doubt about whether or not certain reporting is required, contact the Privacy Officer!

13

50

Exceptions – no authorization needed:a) When required by lawb) Public Health reporting of certain diseases or vital

events, child abusec) Adult abuse - (mandatory for >60 yrs and

incompetent/disabled adults)d) Health Oversighte) Judicial and administrative proceedingsf) Decedents - to coroners, medical examiners, and

funeral directors to carry out their authorized duties. g) Organ, eye, tissue donation - LOPA entitled to infoh) Research - Authorization is not required if waived by a

review board (which IMC does not have, thus authorization would be required).

51

Exceptions – no authorization needed:i) To avert a serious threat to health or safety –

To someone who can minimize the threat (including the intended target). Note that psychologists, psychiatrists, and board-certified social workers are mandated to report such threats or admission of crime, and admission of being an escapee.

j) Specialized government functions: Includes military and veterans activities, foreign military personnel, national security and intelligence activities, protective services for the President and others, medical suitability determinations activities of the Department of State, and to correctional facilities about inmates.

k) Workman’s Comp

52

Exceptions, continued:l) Law enforcement:

As required by law to report certain types of wounds or other physical injuries.

To assist in identifying or locating a suspect, fugitive, material witness, or missing person, provided that the only info given is limited to:name & address, date and place of birth, SS#, blood type and Rh factor, type of injury, date and time of treatment, date and time of death if applicable, and physical description (height, weight, gender, race, hair and eye color, presence or absence of beard/mustache, scars, and tattoos).

53

Exceptions, continued:l) Law enforcement, cont’d:

When the patient is a victim of a crime and the individual agrees to the disclosure OR, if the covered entity is unable to obtain agreement because of incapacity or emergency circumstance and the law enforcement official represents that (a) such info is needed to determine if a crime has been committed against the victim and that the info is not intended to be used against the victim, and (b) that delay in obtaining such info would adversely be affected by waiting for the individual’s ability to agree to the disclosure AND that covered entity exercises professional judgment and determines that the disclosure is in the best interests of the individual.

14

54

Exceptions, continued:l) Law enforcement, cont’d:

When there is suspicion that the individual’s death may have been a result of criminal conduct.

Any PHI that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the covered entity’s premises.

In off-premises emergency treatment situations (i.e. ambulance drivers at scene) in order to alert law enforcement to: the commission and nature of a crime; the location of a crime or of a victim; and the identity, description, and location of the perpetrator of such crime. If emergency situation is believed to be due to abuse, neglect or domestic violence, then rules for reporting abuse override.

55

VERIFICATION REQUIREMENTS

Regardless of whether an authorization is required or not, you must verify the identityof the requestor of PHI and the authority of that requestor to have access to the information prior to disclosing it.

(This excludes disclosures made in accordance with the facility directory and individuals involved in the patient’s care.)

56

REMEMBER: You should ONLY report the information just

discussed if it is your job to do so! If you DO make a required report, the Privacy

Officer is to be notified so that the disclosure can be accounted for! (This may be accomplished by a log book, or by leaving a report for your manager at the end of your shift).

If you receive a subpoena to give a deposition, give a copy of the subpoena to the Risk Manager and/or the Privacy Officer ASAP!!

If ever in doubt, or if you feel you’re being intimidated, threatened, or coerced into releasing patient information, contact the Privacy Officer!

57

REMEMBER: Protecting confidential information is a responsibility

that the entire workforce shares, including students & volunteers, regardless of whether they directly care for patients.

Remember that you are not to seek out confidential patient information other than when required by your job. When it is made available to you, you are not to repeat it to anyone.

Protecting patient confidentiality is not just an ethical obligation or a hospital rule, it is the LAW!

15

58

SECURITY REGULATIONS

59

SECURITY RULES FOR ELECTRONIC DATA: HIPAA’s security rule establishes regulations

to protect health information stored or transmitted electronically.

The Information Systems department will assist our facility in compliance with these regulations (which will be effective in 2005), but there are some things that we will all be responsible for concerning computer usage….

60

Passwords: Passwords and other security features that restrict

access to the computer system protect patient information.

NEVER share passwords, log in to the computer using someone else’s identity, or perform transactions under another user’s identify. Letting someone else use your password, or logging on and letting him/her use the system under your access code may seem like a timesaver, but it is essential that the facility be able to tell who gains access to what records.

Do not post passwords in unprotected locations or keep them where others may find them.

Avoid guessable names for your passwords, such as names of your family members or pets.

Change your passwords regularly.

61

Audit Trails: The Security regulations require random audits and

monitoring of employee and provider access to determine appropriateness of access, and if access is in compliance with policies.

Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc.

If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the employee/provider to determine whether or not it was appropriate.

16

62

E-mail Systems: Remember that work e-mail accounts are not

meant for personal use. Opening files from an unknown source can open the door to viruses and hackers.

Information about our patients may be communicated via e-mail for work-related purposes, but the patient’s identify must not be included. (Last names and account, medical record, or room numbers and dates may be used.)

63

More steps for protecting electronic information: Make sure computer screens are pointed away from

the public and that computers are not displaying patient information when they are not in use.

If you notice screens and information that appear easy for passersby to see or read, let the user or someone in the department know about the problem so it can be corrected right away.

Use screen savers to block patient information displayed on unattended computer monitors.

64

Protecting electronic information, cont’d:

Never remove computer equipment, disks, or software from the facility, even if you think it is no longer used, unless you have permission from your supervisor.

Special precautions must be taken by the Information Systems department to ensure that all patient information is removed from “old” computers before they are discarded or from any computer transferred from one user to another.

65


Never load personal software onto a work PC without two things: Proof of licensure

Approval of the Information Systems Department (so that the facility’s information security can be maintained, and so that new software programs will not use too many resources or conflict with the facility’s software systems already in place)

17

66


It is everyone’s responsibility to protect Iberia Medical Center’s systems, equipment and computers at all times against malicious software and viruses!

Do not disable anti-virus software, malware protection, or any other security items unless directed by the IS Department.

If you have access from offsite (remote Citrix, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this is for your use only. Family and friends may not utilize it.

67

Faxes: HIPAA does not address faxing patient

information specifically, but does protect it under the privacy rule. Faxed patient information can easily fall into the wrong hands, which would be a violation of privacy.

IMC has a “faxing” policy, which includes the following:

68

Internet Usage:IMC has an Internet Access policy detailing acceptable use of the Internet. This policy was created to:

Describe acceptable use of the Internet

Maintain efficient bandwidth

Prevent inappropriate downloading from the Internet

Ensure public Wi-Fi usage for patients and visitors

Inappropriate use of the Internet can result in disciplinary action, including termination!!!

69

ACCESSING YOUR OWN INFORMATION

18

70

Accessing Your Own Records: Policy: Definition of Confidential Information, Examples of Appropriate Vs Inappropriate Access

Viewing your own test results without following proper procedure (going to the HIS department) is considered “inappropriate access.” Why?

Many covered entities require employees to request access to their own medical records in the same manner as any other patient

This reduces the temptation to look at other records (e.g. a friend’s or relatives)

Employee’s role ends when you become a patient Gives your physician the opportunity to communicate and

coordinate your care Compliance as required to ensure the integrity of records

71

Accessing Your Own Records:

How do I access my records? It’s really, really SIMPLE1. Call or come by Health Information (Medical Records ext. 7127)

2. Complete an authorization form (on IMC website, soon to be on Intranet)

3. ROI form will be scanned onto your account

Have you signed up for IMC’s Patient Portal? A summary of care and some test results are accessible to patients including

employees on our portal

72

REMEMBER:

Even if you do not have access to computers or paper records yourself as part of your job, by being on the lookout for potential violations of privacy, you help the facility keep its commitment to patient confidentiality.

You should always feel comfortable about going to your supervisor or the Privacy Officer with questions about how to respond in situations in which privacy or confidentiality seem to be at risk.

Report “near-misses” to the Privacy Officer so that incidents can be trended and proper education can take place.

73

IMC’S COMPLAINT

PROCESS

19

74

COMPLAINTS: Complaints received by the patient representative, case

manager, ombudsman, or risk manager from external sources (patients, the public) that pertain to our privacy practices should be documented onto a “Complaint Form” and forwarded to our Privacy Officer, who will conduct an investigation and respond to the complainant as appropriate.

Other employees aware of an external complaint should direct the complainant to the Privacy Officer.

Employees may submit their privacy concerns or complaints, or report violations to our Privacy Officer, to our Compliance Officer, or to our Compliance Hotline.These complaints do not have to be in writing and may be made anonymously.

75

Complaints, continued:

There will be no intimidating or retaliatory acts against anyone (patient or employee) for filing a complaint or against anyone for testifying or assisting in investigation of a complaint.

Likewise, there will be no intimidating or retaliatory acts against anyone for refusing to participate in anything that person in good faith believes is in violation of the Privacy Rule. (Refusal to participate in something you feel in good faith to be in violation of the Privacy Rule must be demonstrated in a reasonable manner that does not involve disclosure of PHI in violation of the Privacy Rule.)

76

Remember… As an employee, physician, student, volunteer, or

contracted person of Iberia Medical Center, one of your jobs is to help maintain the privacy of our patients as they receive care and protect the confidentiality of information that patients give to their providers.

There will be times when you will hear or see patient information. You are expected not to seek out information about patients unless it is job-related. When you do see or hear information in the course of doing your job, you are not allowed to repeat it or share it with others. This applies “FOREVER” -even when you no longer work at this facility!

77

“PRIVACY”CASE SCENARIOS:What should you do?

20

78

Case Scenario #1:

You are called to work in a patient's room to perform a routine job assignment. You knock on the door and are invited in. You see that a nurse is in the room discussing the patient's condition or medication.

What should you do? Should you ask if it's OK to perform your job or should you come back later?

79

Answer, Case Scenario #1:If the task is critical to patient care (drawing a blood specimen for a stat request), ask whether you can interrupt. Otherwise, explain that you are there to perform a routine job and will return in 15 or 20 minutes. That protects patients' privacy by allowing them to conduct their discussion without being overheard.

While some patients may say that it's OK to remain in the room during a conversation, remember that patients might not feel comfortable sharing complete information about symptoms while you are in the room. They also might not feel comfortable asking you to leave. Some nurses might even forget that you shouldn't be in the room while they are discussing treatment with a patient.

That's why good privacy practices require that you tell them you will return later to complete your work so that you don't interfere with the patient's care.

80

Case Scenario #2:

You are working in the emergency department when you see that a neighbor has just arrived for treatment after a car crash, and you hear someone saying that he will be taken to surgery soon.

Should you notify the neighbor's wife that her husband arrived in the emergency department?

81

Answer, Case Scenario #2:NO! The correct course of action is for you to tell the nursing staff that you know the patient and his wife, and ask if they need to locate her, in which case you may be asked to help by providing information.

When patients are in the hospital, they have the right to decide who should know they are there. Your neighbor has a right to privacy. He may not want to notify his family of his accident. If he is conscious, the emergency department staff will allow him to decide who should be notified of his presence at the hospital.

If he is unconscious, the doctors and nurses will use their professional judgment about whether to notify his wife and will decide whether you, as a friend, should be involved in any way. Leaving this decision to the emergency staff is essential.

21

82

Case Scenario #3:

A patient has had an adverse reaction to his medications. His nurse tries several times to reach the patient’s physician for instructions, with no success. Finally, she reaches the club where the physician is attending a social event. She asks the receptionist to tell the physician “Mr. Olsen has had an adverse reaction to his medications, and nurse White urgently needs you to call her back.”

What should the nurse have done differently?

83

Answer, Case Scenario #3:Leaving a message with someone other than the physician that includes identifying details about the patient is a breach of confidentiality.

Never leave a message with a third party other than the physician’s office staff or answering service, via voicemail, or on an answering machine that contains specific information about a patient that could identify him/her.

The nurse should have simply requested the physician call her back immediately about an urgent patient matter. She could also have further clarified the urgency by indicating that one of his patients has just had an adverse reaction, but no further information. (Avoid giving room numbers, as the receptionist may know the patient in room 220 at our facility!!)

84

Case Scenario #4: Susan is an ultrasound tech, and she has just

heard thru the grapevine that her friend, Ann, an ER nurse, is pregnant. The ER staff members would like to give Ann a baby shower, but nobody knows when the baby is due or whether it is a boy or girl. Susan has access to the records and could easily find out the answers to both of those questions.

Is it ok for Susan to get the information about the baby’s due date and sex and let the ER staff know so they can surprise Ann with a really good shower?

85

Answer, Case Scenario #4:

NO!! This is clearly an unauthorized use of medical information. Remember that you should never look at the records of patients for whom you are not caring or performing a work-related assignment.

22

86

Case Scenario #5:

You are a nurse in the ER. A child is brought in with suspicious bruises and other injuries. You suspect that the child is being abused, but her mother insists she is not and begs you not to report the incident.

What should you do?

87

Answer, Case Scenario #5:Louisiana law mandates that suspected abuse of children, disabled/incompetent adults, and the elderly (60 years and older) be reported.

The suspicion MUST be reported, regardless of patient (or, in this case, parent) objection.

When the law says you “shall” report or you are “required” to report – it means you MUST report it, regardless of patient objection.

When the law says you “may” or you are “permitted” to report something – it means you CAN report without the patient’s authorization, but you can also obtain authorization if you’d like.

88

“SECURITY”CASE SCENARIOS:What should you do?

89

Case Scenario #6:

It has been regular practice to leave computer systems open and logged on at the nurses’ station computer at the end of a shift. This saves time during shift changes for staff who need to retrieve test results or place orders.

Is this an allowable practice under HIPAA?

23

90


NO!! It may be a timesaver, but this practice is not allowed. It is equivalent to sharing a password.

When many employees gain access to the system under the same password, there is no way to audit who sees records.

Generally, you shouldn’t leave the system open when you leave the workstation.

91

Case Scenario #7:

A man tells you that he is here to work on the computers. He wants your password to log on to the hospital’s computer system.

What should you do?

92


Ask the man who contacted him to work on the computers, then direct him to that person.

The contact can take him to the appropriate area and give him the information he needs.

If the repairman cannot tell you who placed the work request, call the Information Systems department.

93

Case Scenario #8:

You enter a work area and notice a password for the computer system is posted on the wall.

What should you do?

24

94


Notify the supervisor of that area that a password appears to be publicly visible and that you are concerned this might allow unauthorized access into the hospital’s computer system, putting confidential information at risk.

95

Case Scenario #9:

You find an old, forgotten computer in the back of a room that’s being used for storage. You are certain the machine is not being used any longer.

Can you take this computer to use at home or in another work area?

96


NO! You must first consult with your supervisor. Any unauthorized removal of facility property is considered theft, so under NO circumstances are you to take the computer out of the facility without approval.

Even if you do intend to use the computer for work purposes, you should first ask your supervisor to ensure (with the help of the Information Services department) that unnecessary patient records or other confidential information has been adequately removed.

97

Case Scenario #10:

You are walking by a trash can and notice that a pile of photocopied records has been laid on top of the trash.

What should you do? Should you shred the documents or place them into a container for documents waiting to be shredded?

25

98


If you KNOW for certain these records are ready for destruction, you may shred them or place them in the “to be shredded” container.

Otherwise, gather the documents and take them to the supervisor of that area.

This should be reported to the Privacy Officer so that the facility can determine why the records were disposed of improperly and education can take place.

99

Case Scenario #11:

You are responsible for retrieving medical records when the HIS department is not staffed. Upon entering the Medical Records department, you find that the door is unlocked.

How should you respond?

100


Carry on with the task you are doing (pulling medical records for a nursing unit), but lock the door behind you on your way out.

If you know who left the door unlocked, report the incident to that employee’s supervisor.

Report such incidents to the Privacy Officer’s voice mail so that they may be investigated and education may take place.

101

Answer, Case Scenario #11:It may seem like a pretty harmless question, but you have no way of knowing whether the person asking is really a friend or what he or she plans on doing with the information.

Direct the gentleman to someone who is authorized to give out directory information, such as the PBX operator or a nurses’ station.

If YOU are authorized to give out directory information, ask yourself the following questions before disclosing any information about a patient:

Is the patient listed in the facility's directory? If so, is there any indication that we have agreed to limit who we are

releasing this directory information to? (If “confidential” appears in place of the patient’s name, or “+++++” after patient’s name, then respond by saying, “I’m sorry, we do not have that person listed as a patient here.”

26

102

Case Scenario #12:

A friend is concerned because his girlfriend is in the hospital. He calls you at work and asks you to find out anything you can.

Should you try to find information for your friend?

103


NO! You should not even acknowledge that the girlfriend is in the hospital. You should direct your friend to the information desk, where he can learn the patient’s location and general condition, IF the patient has agreed to have her information in the directory and IFthe girlfriend has not requested other restrictions that we’ve agreed to.

104

IMC’S Privacy & Security

OFFICER

WHAT TO DO NEXT?

Patients or Employees may submit their privacy concerns or complaints, or report violations to our Privacy Officer, to our Compliance Officer, or to our Compliance Hotline.These complaints do not have to be in writing and may be made anonymously.

IMC’s PRIVACY OFFICER: IMC’s SECURITY OFFICER:

Roxane Martin, RHIA Terry [email protected] [email protected]

105

27

HIPAA Awareness:

Thanks for your time and let’s stay

HIPAA Wise!

106107

QUESTIONS??

COMPLETE YOUR TEST & SIGN YOUR

AGREEMENT!

QUESTIONS? CONTACT ROXANE MARTIN, PRIVACY & COMPLIANCE OFFICER, EXT. 7123 Iberia Medical Center HIPAA Privacy News September 7, 2004

CAUTION: NOT ALL PATIENTS’ ROOM NUMBERS MAY BE GIVEN OUT!!!! A “DIRECTORY” is a listing of patients within the facility, their location within the facility, and, in some facilities, the patient’s condition (stable, critical, etc.)

The Privacy Rule mandates that we give patients the opportunity to not be listed on this directory. When a patient chooses to NOT be listed on this directory, hospital staff may not give out the patient’s room number to visitors or family members. The patient is responsible for telling his/her family what room s/he is in and how to phone the patient’s room directly. The patient is explained his/her right to “opt out” of our directory during the registration process. If a patient chooses to opt out of the directory, the Registration Clerk indicates this within the hospital’s information system (CPSI) by typing in multiple “plus” signs (+++) after the patient’s name, filling up the entire “patient name” field. When the last digit within the patient’s name field has a “+” the computer knows this is a confidential patient, causing the patient’s name to be listed as “CONFIDENTIAL” on certain census lists. The Registration Clerk also indicates “Y” on the field which asks if the patient should be omitted from the hospital directory “Hosp Dir: Y” HOW DO WE KNOW WHEN A PATIENTS ROOM NUMBER SHOULD NOT BE GIVEN OUT? On printed reports: A patient who has chosen to opt out of the directory will be indicated by one of 3 methods:

The patient’s name will not appear at all (if the person printing the report does not have access to confidential patients, or if the report was built to not include these patients); or

The word “CONFIDENTIAL” will appear in place of the patient’s name; or

The patient’s name will appear, followed by plus signs, indicating the patient has requested

confidentiality, and his/her room number should NOT be given out. Example: DOE JANE++++++++++++

Within CPSI: If a patient has chosen to opt out of the directory, the patient’s name will appear followed by plus signs. Example: “DOE JANE++++++++++” When a patient is “Confidential,” we are to respond to inquiries about his/her room number by saying, “I’m sorry, we do not have that person listed as a patient here.” Only authorized employees (PBX, Nursing, Registration) are to give out a patient’s room number. These authorized individuals are to FIRST look at either an up-to-date printed nursing census, or access the patient’s information within CPSI before giving out room numbers. If you do not have access to a printed census or to patients’ information within the computer, you are NOT authorized to give out room numbers!! Please assist visitors by either escorting them to PBX or by phoning the switchboard yourself to assist family members in obtaining this information. If a patient has requested confidentiality, you will be told, “I’m sorry, we do not have that person listed as a patient here.”

HIPAA News

of 5

IBERIA MEDICAL CENTER NOTICE OF PRIVACY PRACTICES Effective Date: September 23, 2013

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED ANDHOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you cannot read or understand this document, someone will read or explain it to you.

OUR PLEDGE REGARDING YOUR MEDICAL INFORMATIONWe understand that medical information about you and your health is personal. We are committed to protecting medicalinformation about you. We create a record of the care and services you receive at each of our health care delivery sites (hospital,clinics and other departments). We need this record to provide you with quality care and to comply with certain legal requirements.This notice applies to all of the records of your care generated by each of our health care delivery sites, whether made by ouremployees or your personal doctor.

This notice will tell you about the ways in which we may use and disclose medical information about you. Disclosure means therelease, transfer, or provision of or access to Protected Health Information (PHI). This Notice of Privacy Practices also describesyour rights, your obligations, and our obligations regarding the use and disclosure of your medical information.

YOUR RIGHTSAlthough your health record is the physical property of the healthcare practitioner or facility that compiled it, the informationbelongs to you. You have the following rights regarding the medical information we maintain about you:

Right to accessand copy yourrecord

You have the right to access, inspect and request a paper copy or electronic copy of your healthrecord maintained in electronic format in accordance with Louisiana Law (R.S. 40:1299.96).

If you request a copy of the information, we are allowed by law to charge a fee for the cost ofcopying, mailing or other supplies associated with your request. If you wish to inspect and/orobtain a copy of your own medical records, you must submit your request in writing to theReceptionist in the Medical Records Department. The Medical Records Department has a formyou may use to make this request. In some limited circumstances, we may deny your request toinspect and/or copy your medical records.

Right to amendor make changesto your record

If you feel that medical information we have about you is incorrect or incomplete, you may ask usto amend the information. You have the right to request an amendment for as long as theinformation is kept by or for each of our health care delivery sites. Ask us how to do this.

We may deny your request for an amendment, but we will tell you why in writing within 60 days.The reasons for denying your request include, but are not limited to, the following: 1) theinformation you are asking to amend is part of a record which was not created by Iberia MedicalCenter; 2) the information you ask us to amend is not part of the information kept by this hospital;or, 3) the information is accurate and complete.

Right to anaccounting ofdisclosures

You have the right to ask for an “accounting of disclosures.” This is a list (accounting) of the timeswe’ve shared your health information for six years prior to the date you ask, who we shared itwith, and why.

We will include all the disclosures except for those about treatment, payment, and health careoperations, for disclosures permitted by law, for disclosures pursuant to an authorization, fordisclosures related to national security or intelligence purposes, for disclosures to correctionalinstitutions, and certain other disclosures. We will provide one accounting a year for free but willcharge a reasonable, cost-based fee if you ask for another one within 12 months.

Right to requestrestrictions

You have the right to request that we not use or disclose your health information, sometimesreferred to as restrictions. Please be aware that in some instances we are not required to agree toyour request. .

You have the right to request a limit on the information to someone who is involved in your careor payment for your care. Please be aware that in some instances we are not required to agree to

of 5

your request. If we do agree, we will comply with your request unless the information is neededto provide you with emergency treatment.

If you request that we not disclose your information to your insurer about a specific health productor service, and you pay for that product or service out-of-pocket in full, we must agree to yourrequest. We are not required to honor this request not to disclose to your insurer or other third-party payor unless you provide payment in full for the undisclosed healthcare services.

To request that confidential information not be shared with your payor source, you must makethis request in writing, and provide us with your preferred method of contact. We will not ask youthe reason for the request and will accommodate reasonable requests.

Right to receiveconfidentialcommunications

You have the right to request that we communicate with you about medical manners in a certainway or at a certain location. For example, you can ask that we only contact you by work or by mailor to send mail to a different address. However, you are responsible for insuring that we havebeen provided with updated contact information for you so that we can most effectivelyrespond to this request.

Right to a copy ofthis notice

You can ask for a paper copy of this notice at any time, even if you have agreed to receive thenotice electronically. We will provide you with a paper copy promptly.

You may obtain a copy of our most current notice in person from any Registration area at each ofour health care delivery sites or from our website, www.iberiamedicalcenter.com,

YOUR CHOICESFor certain health information, you can tell us your choices about what we share. If you have a clear preference for how we shareyour information in the situations described below, let us know and we will follow your instructions:

HospitalDirectory

Unless you notify us that you object, we will use your name, location in the facility, general condition, andreligious affiliation for directory purposes. This information may be provided to members of the clergy and,except for religious affiliation, to other people who ask for you by name.

Notification We may use or disclose information to notify or assist in notifying a family member, personalrepresentative, or another person responsible for your care about your location and general condition. Inaddition, we may disclose information about you to an entity assisting in a disaster relief effort so that yourfamily can be notified about your condition, status, and location.

Communicationwith others

Health professionals, using their best judgment, may disclose relevant health information to a familymember or any other person you identify, regarding your health care or health care payment obligations.

If you are not able to tell us your preference, for example, if you are unconscious, we may go ahead andshare your information if we believe it is in your best interest. We may also share information when neededto lessen a serious and imminent threat to health or safety.

Authorization Without your authorization, we may not use or disclose your psychotherapy notes, unless the notes arebeing used for carrying out treatment, payment or healthcare operations, or the notes are necessary todefend the hospital from a legal action brought by the individual who is the subject of the notes. We maynot use or disclose your health information for our own marketing, or not sell your health information to athird-party without your authorization.

Fundraising We may use certain information to contact you for the purpose of raising money for our organization. Forthe same purpose we may provide your name to our hospital’s foundation. The money raised will be usedto expand and improve the services and programs we provide the community. You are free to opt out offundraising solicitation, and your decision will have no impact on your treatment or payment for services atIberia Medical Center. If you do not want to be contacted for fundraising efforts, you must notify ourDirector of Marketing by calling our local phone number at (337) 364-0441.

of 5

OUR RESPONSIBILITIES Make sure that medical information that identifies you is kept private.

Provide you with this notice as to our legal duties and privacy practices with respect to information we collect and maintainabout you.

We will notify you if there is a breach (an inappropriate use or disclosure of your health information that the law requires us toreport).

Abide by the terms of the notice that is currently in effect.

Notify you if we are unable to agree to a restriction or an amendment that you request.

Accommodate reasonable requests you may have to communicate health information by alternate means or at alternativelocations.

OUR USES AND DISCLOSURESWe will not use or disclose your health information without your authorization except as provided by law or described in this notice.Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose informationwill fall within one of the categories.

For Treatment. We may use medical information about you to provide you with medical treatment or services and share it withother professionals who are treating you. For example, a doctor treating you for a broken leg may need to know if you havediabetes because diabetes may slow the healing process. Medical information about you may be disclosed to people outsideeach of our health care delivery sites who may be involved in your care such as family members, your physicians, or asubsequent health care provider in order to assist this health care provider in treating you once you are discharged from ourfacility.

For Payment. We may use and disclose medical information about you so that we may bill, receive and collect payment forservices rendered by each of our health care delivery sites. For example, we may need to give your health insurance plan someinformation about surgery you received at each of our health care delivery sites so your health insurance plan will pay us orreimburse you for the surgery.

For Health Care Operations. We may use and disclose your health information to run our practice, improve your care, andcontact you when necessary. We use health information about you to manage your treatment and services. We may also useand disclose your information other health care operations, such as quality assurance, training, case management,accreditation, certification, licensing, auditing and business planning. These uses are necessary to run each of our health caredelivery sites and make sure that all of our patients receive quality care.

Health Information Exchange (HIE). We may make your health information available electronically through an informationexchange network to other providers involved in your care who request your electronic health information. The purpose of thisexchange is to support the delivery of safer, better coordinated patient care. Participation in the information exchange isvoluntary. If you do not want your Iberia Medical Center health information to be accessible to authorized health care providersthrough the HIE, you may opt-out. Information about the HIE is available in one of our Registration areas.

Business Associates. There are some services provided in our organization through contracts with business associates.Examples include, certain laboratory tests, collection agencies, and a copy service we might use when making copies of yourhealth record. When these services are contracted, we may disclose your health information to our business associates so thatthey can perform the job we’ve asked them to do and to allow them to bill you or your health insurance plan for servicesrendered. To protect your health information, however, we require the business associate to appropriately safeguard yourinformation.

Appointment Reminders. We may use and disclose medical information to contact you as a reminder that you have anappointment for treatment or medical care at each of our health care delivery sites.

Treatment Alternatives. We may use and disclose medical information to tell you about or recommend possible treatmentoptions or alternatives that may be of interest to you.

of 5

Health-Related Benefits and Services. We may use and disclose medical information to tell you about health-related benefitsor services that may be of interest to you.

As Required By Law. We will disclose medical information about you when required to do so by federal, state or local law. Forexample, we are required to notify law enforcement about the incidents of abuse or suspected abuse of a child/children,disabled/dependent persons, and the elderly. We are also required to notify law enforcement when patients present withcertain types of wounds such as gunshot wounds.

Public Health Purposes. We may disclose medical information about you for public health activities. These activities generallyinclude the following: to prevent disease, injury or disability; to report births and deaths; to notify a person who may have beenexposed to a disease or may be at risk for contracting or spreading a disease or condition.

Food and Drug Administration (FDA). We may disclose to the FDA health information relative to adverse events with respect tofood, supplements, product and product defects, or post-marketing surveillance information to enable product recalls, repairs,or replacement.

A Prospective Employer. We may disclose information about you to a prospective employer if we have been requested byyour employer to conduct pre-employment testing.

Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law.These oversight activities include audits, investigations, inspections, and licensure. These activities are necessary for thegovernment to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical information about you in responseto a subpoena, court order or other lawful process. We may also disclose medical information about you in response to asubpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have beenmade to tell you about the request or efforts have been made by you or someone on your behalf to obtain an order protectingthe information requested.

Law Enforcement. We may release medical information for law enforcement purposes as required by law such as providinglimited information to locate a missing person or respond to a search warrant. We may also disclose protected healthinformation to law enforcement if we believe that a crime has been committed on our premises.

Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner or medical examiner.This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also releasemedical information about deceased patients to funeral directors as necessary to carry out their duties.

Organ Procurement Organizations. Consistent with applicable law, we may disclose health information to organ procurementorganizations or other entities engaged in the procurement, banking, or transplantation of tissue or organs for the purpose oftissue donation and transplantation.

Research. We may disclose information to researchers when their research has been approved by an institutional review boardthat has reviewed the research proposal and established protocols to ensure the privacy of your health information. Allresearch projects are subject to a special approval process and very specific privacy requirements must be met.

To Avert a Serious Threat to Health or Safety. We may use and disclose medical information about you when necessary toprevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure,however, would only be to for the purpose of helping to prevent the threat from occurring.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may releasemedical information about you to the correctional institution or law enforcement official. This release would be necessary (1)for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3)for the safety and security of the correctional institution.

Military and Veterans. If you are a member of the U. S. Armed Forces, we may release medical information about you asrequired by military command authorities.

of 5

National Security and Intelligence Activities. We may release medical information about you to authorized federal officials forintelligence, counterintelligence, and other national security activities authorized by law.

Protective Services for the President and Others. We may disclose medical information about you to authorized federalofficials so they may provide protection to the President, other authorized persons or foreign heads of state or to conductspecial investigations.

Workers' Compensation. We may release health information to the extent authorized by and the extent necessary to complywith laws relating to workers’ compensation or other similar programs established by law.

For Proof of Immunizations. We may disclose protected health information about an individual who is a student or prospectivestudent of a school if the information is limited to proof of immunizations.

Change of Ownership. In the event this organization is sold or merged with another organization, your health information willbecome property of the new owner.

OTHER USES OF MEDICAL INFORMATIONOther uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with yourwritten permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission,in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for thereasons covered by your written authorization. Understand that we are unable to take back any disclosures we have already madewith your permission, and that we are required to retain our records of the care that we provided to you.

WHO WILL FOLLOW THIS NOTICEThis notice describes Iberia Medical Center practices and that of:

Anyone authorized to enter information into your chart.

All department, units and clinics of Iberia Medical Center.

Any member of a volunteer group we allow to help while you are receiving care from one of our health care delivery sites.

All employees, staff, and other personnel at each of our health care delivery sites.

All physicians on staff at Iberia Medical Center follow the terms of this notice in regards to services rendered by our health caredelivery sites. These physicians may have different policies or notices regarding his/her use and disclosure of your medicalinformation created in his/her office or clinic. Our health care delivery sites and the physicians on our medical staff may sharemedical information with each other for treatment, payment or operational purposes as described in this notice.

CHANGES TO THIS NOTICEWe reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medicalinformation we already have about you as well as any information we receive in the future. We will post a copy of the currentnotice at each of our healthcare delivery sites and on our website. The notice will contain on the first page, in the top right-handcorner, the effective date. In addition, each time you register at or are admitted to one of our healthcare delivery sites fortreatment or health care services, we will offer you a copy of the current notice in effect.

FOR MORE INFORMATION OR TO REPORT A PROBLEMIf you have a question or would like additional information, you may contact our Privacy Officer at: Iberia Medical Center; PrivacyOfficer; 2315 East Main St.; New Iberia, LA 70560. Our Privacy Officer can be reached by phone by dialing the hospital’s mainnumber at (337) 364-0441. If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer orwith the U.S. Department of Health and Human Services Office for Civil Rights. All complaints must be submitted in writing. Therewill be no retaliation for filing a complaint.

1oct2013 new hire privacy training - omnibus

Documents