hipaa job specific education1 hipaa privacy keys to success education for students updated february...

HIPAA Job Specific Education 1

HIPAA PrivacyKeys to Success

Education for StudentsUpdated February 2010


HIPAA and Its PurposeWhat is HIPAA?

Health Insurance Portability and Accountability Act of 1996

Title II – Administrative Simplification

It’s a federal law

HIPAA is mandatory, penalties for failure to comply

Purpose:

Protect health insurance coverage, improve access to healthcare

Reduce fraud and abuse

Improve quality of healthcare in general

Reduce healthcare administrative costs (electronic transactions)


HITECH and Its Purpose

What is HITECH?

Health Information Technology for Economic and Clinical Health Act

Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)

It’s a federal law

Purpose:

Makes massive changes to privacy and security laws

Applies to covered entities and business associates

Creates a nationwide electronic health record

Increases penalties for privacy and security violations


Civil Penalties for Non-compliance*

Violation Category Each Violation All such violations of an identical provision in a calendar year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 – $50,000 $1,500,000

Willful Neglect – Corrected $10,000 - $50,000 $1,500,000

Willful Neglect – Not Corrected $50,000 $1,500,000

*As of 2/17/09


Criminal Penalties for Non-compliance

• These penalties can apply to any “person” , including students.

• The penalties are higher for actions designed to generate monetary gain

up to $50,000 and one year in prison for obtaining or disclosing protected health information

up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"

up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm


Facility Privacy Official

• The name of the facility’s FPO is Debra Hasling.

• The FPO is Responsible for:– Privacy Program– Privacy Rights of patients– Requests for Privacy Restrictions– Facilitating the training and education of staff


HIPAA Terminology• HIPAA: Health Insurance Portability and Accountability Act• HITECH: Health Information Technology for Economic and

Clinical Health Act• PHI: Protected Health Information• CE: Covered Entity (Hospital)• ACE: Affiliated Covered Entity (Common ownership)

OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement)

• DRS: Designated Record Set (medical record and billing record)

• AOD: Accounting of Disclosures (patient’s right to receive)• Directory: Hospital census list used by volunteers and

operators with name and room


How will HIPAA affect you?• Coversheets with confidential statement need to be used on

all external faxes. • Screens need to be placed out of public view when

possible• Patient charts need to be placed in secure area• PHI needs to be placed in Shred-It containers for disposal• Patient family members will be given a passcode for

information other than directory releases• Patient information should only be accessed if there is a

need to know

NEED TO KNOW

• Any person (including students) who have access to the facility or Company systems or applications may only view information contained in that system when there is a NEED TO KNOW for purposes of treatment, payment or operations.


Accessing Your Medical Record

• You may never access your own medical record via the Meditech system.

• You may access your own medical record by following the procedures as required for any patient.


MONITORING NEED TO KNOW

• HCA’s IT&S Department monitors all individuals who access its medical records through ongoing “Appropriate Access” audits.

• When IT&S determines a student may have accessed a medical record without the NEED TO KNOW, IT&S will contact that student’s supervisor.



How will HIPAA affect you?

• Registration will give out a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy.

• Patients will be given the option to “opt out” of our directory.

• Patients have a right to a copy of their medical record• Authorizations need to be obtained from patient to release

information for reasons other than for treatment, payment or healthcare operations (TPO)


What is Protected by HIPAA (PHI)? Any one of the following is PHI.

• Name• Address including street, city, county, zip code and equivalent

geocodes• Names of relatives• Name of employers• Birth date• Telephone numbers• Fax Numbers• Electronic e-mail addresses• Social Security Number• Medical record number

• Health plan beneficiary number • Account number• Certificate/license number• Any vehicle or other device serial number• Web Universal Resource Locator (URL)• Internet Protocol (IP) address number• Finger or voice prints• Photographic images• Any other unique identifying number, characteristic, code


What is a Covered Entity (CE)?

• Health plans, Health care clearinghouses, and Health care providers that transmit electronically for billing– Examples

• Hospitals• Physician Practices• Insurance companies• Ambulance Transportation Services• Hospice • Home Health


What does that mean to me?

• Information may be shared without patient authorization as it relates to treatment, payment or hospital operations (TPO)

• When in in doubt… check with the Charge Nurse or Department Director prior to sharing information without patient authorization.


Disclosing PHI to Family Members and Friends Who

Call the Unit

• Patients are assigned a four-digit passcode. Family members and friends need this passcode to be able to get non-directory information

• Distribution of the passcode is the responsibility of the patient


Verification of Requestors• When a Covered Entity makes a Request

via phone they will need:– Patient SS# + DOB and one of the following:

– Account number, street address, MR#, birth certificate, insurance card or policy number

– Scenario• An unknown physician calling from cell phone must

have the patient SS# + DOB and one of the above prior to information being provided to that physician.


External Faxing Guidelines

• Limit when possible• Verify fax number• Fax machine must be located in secure location• ALWAYS use cover sheet with confidentiality

statement for transmittals• Highly sensitive information should NEVER be

faxed (HIV status, abuse records, etc.)


Patient’s Right to Access

• Patients may request a copy or inspection of their medical record.

• BUT, students should not provide a copy to the patient nor allow the patient to inspect their medical record.

• Students should direct the patient’s request to Charge Nurse for follow up.


Patient’s Right to Opt out of Directory

• A patient can opt out of directory at anytime but this will most likely happen during the admission process.

• IF A PATIENT OPTS OUT OF THE DIRECTORY… you may not acknowledge the patient is in the facility AND

• You may not give information about the patient to family and friends unless they provide the 4-digit passcode.


Right to Privacy Restrictions

• Patients have the right to request a privacy restriction of their PHI

• But, NEVER agree to a patient requested restriction

• All requests must be made in writing and given to the FPO to make a decision on

• NO request is so small that it should not be routed to the FPO


Patient Privacy Complaints

• ALL privacy complaints must be routed to the FPO

• No privacy complaint is too small or insignificant


Notice of Privacy Practices

• Patient will receive a Notice of Privacy Practices (NOPP) upon each registration

• Notice of Privacy Practices outlines patient rights– Right to access– Right to amend– Confidential Communication– Right to Privacy Restriction– Right to Opt out of Directory

• Ask registration for a copy of the NOPP

Breach Notification• Beginning February 2010…HITECH

provisions require the following notifications when breaches (as defined in the regulations) occur:– To the patient (the facility is required to send a

letter to the patient). – To the Department of Health and Human

Services (the facility notifies DHHS online).– To the media when the breach involves more

than 500 individuals in the same jurisdiction.HIPAA Job Specific Education 24


Security Compliance TAKE IT SERIOUSLY

• Log off terminals when not in use.

• Computer screens should be positioned so information (PHI) is not readable by the public

• Printers should be in protected locations so that printed information is not accessible by the public.

• PHI must be disposed using SHRED –IT bins.


Common Exposures To Avoid

• Discussions of patient information in public places such as elevators, hallways and cafeterias

• Printed or electronic information left in public view (e.g., charts left on counters)

• PHI in regular trash

• Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment

SOCIAL NETWORKING

• NEVER discuss patients or patient information (even if you think it is unidentifiable) on a social network site, such as Face Book or Twitter.



Disciplinary Action and/or School Notification

3 levels of violations with disciplinary action and/or notification to the school:– Accidental disclosure of PHI may result in an oral or

written warning.– Purposeful violation of privacy policy may result in

notification to school and dismissal from hospital’s student program.

– Purposeful violation of privacy policy with associated potential for patient harm will result in notification to school and dismissal from the hospital’s student program.


Tracking Your Training

Federal law requires each HCA facility to document that you have successfully completed HIPAA training and to track that documentation for six (6) years.

1. You must successfully pass the HIPAA Quiz;

2. Receive a Certificate of Completion from the facility; &

3. Ensure your facility has a copy of both your Quiz and Certificate for their records.

Please keep a copy of your Quiz and the Certificate for your records


STOP!! STOP!! STOP!! STOP!! Your training is NOT complete!!

hipaa job specific education1 hipaa privacy keys to success education for students updated february...

Documents