Upholding Confidentiality

It is your ethical responsibility

Theresa TapleyMHA690: Health Care Capstone

Ashford UniversityDr. David ColeApril 23, 2013

Objectives Understanding of HIPAA Ethical Responsibility to keep each and

every patient’s PHI confidential Patient Privacy Rule and Security Rules Identification of what PHI is Ways to protect PHI Tips for electronic confidentiality

protections Consequences if confidentiality or PHI

mishandlement

What is Health Insurance Portability and Accountability Act (HIPAA)?

HIPPA is a federal law that gives an individual the right of protection of their personal health information (PHI).

PHI includes all medical and personal information and must be protected whether communication is verbal, written, or electronic.

(U.S. Department HHS, 2012)

Forms of Sensitive InformationSensitive Information exists in various forms

Printed Spoken Electronic

It is the responsibility of every employee to protect the privacy and security of sensitive

information in ALL forms

What Information is Considered Confidential and must be Protected?

Personal billing information

All medical records

Conversations between physician and other medical staff regarding a patient

Information about a patient within their Insurance carrier’s database

Patient Privacy Rule Rights

The right to see and obtain a copy of their health record

The right to have corrections added to their personal health record

The right to receive notice about how their health information will be used or shared for certain purposes

The right to get a report of when and why their health information was shared

The right to file a complaint with the provider or health insurer

The right to file a complaint with the U. S. Government

Personal Health Information How to keep it confidential

Never leave medical records where others can gain access to them

PHI should be guarded and kept confidential, shared only with healthcare providers involved in their healthcare

PHI is confidential and should not be viewed on paper or on computer by unauthorized staff

Ways to Protect Confidentiality of PHI PHI should only be shared with other healthcare

professionals directly involved in an individual’s care

Records are kept locked and only people with a need to see information about patients have access to them

Employees who use computerized patient records to not leave their computers logged in to the patient information system while they are not at their workstations. Computer screens containing patient information are turned away from the view of the public or people passing by.

More Ways to Protect Confidentiality of PHI

Posted or written patient information maintained in work areas such as nurses’ stations or front desk is kept covered from the public.

Discussions about patient care are kept private to reduce the likelihood that those who do not need to know will overhear.

Electronic records are kept secure, and the facility monitors who gains access to records to ensure that they are being used appropriately.

Paper records are always shredded or placed in closed receptacles for delivery to a company that destroys records for the facility. They must never be left in the garbage.

Understanding the Security Rule

Specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI

The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI

Designation of a security official who is responsible for developing and implement its security policies and procedures

Electronic confidentiality protections Keep passwords and

other security features that restrict access to your computer private

Never share password access or log in to the health information system using a borrowed credential

More steps for protecting electronic information

Point computer screen away from the public Never walk away from your computer with PHI

up and in view of a passerby Never remove computer equipment, disks, or

software unless instructed to do so by your supervisor

Never send confidential patient information in an e-mail unless it is encrypted

Always double-check the address line of an email before you send it.

Penalties for Breaches

Breaches of the HIPAA Privacy and Security Rules have serious ramifications for all involved. In addition to sanctions imposed by this organization, such breaches may result in civil and criminal penalties.

Statutory and regulatory penalties for breaches may include:

Civil: $50,000 per incident, up to $1.5 million per calendar year for violations that are not corrected

Criminal: $50,000 to $250,000 in fines and up to 10 years in prison

In addition, institutions that fail to correct a HIPAA violation may be fined up to $50,000 per violation.

Best Practice Reminders

DO keep computer sign-on codes and passwords secret, and DO NOT allow unauthorized

persons access to your computer. Also, use locked screensavers for added privacy. DO keep notes, files, memory sticks, and computers in a secure place, and be careful to

NOT leave them in open areas outside your workplace, such as a library, cafeteria, or airport. DO NOT place PHI or PII on a mobile device without required approval. DO encrypt

mobile devices that contain PHI or PII. DO hold discussions of PHI in private areas and for job-related reasons only. Also, be

aware of places where others might overhear conversations, such as in reception areas. DO make certain when mailing documents that no sensitive information is shown on

postcards or through envelope windows, and that envelopes are closed securely. DO NOT use unsealed campus mail envelopes when sending sensitive information to

another employee. DO follow procedures for the proper disposal of sensitive information, such as shredding documents or using locked recycling drop boxes. When sending an e-mail, DO NOT include PHI or other sensitive information such as

Social Security numbers, unless you have the proper written approval to store the information

and encrypted your computer or e-mail.

(UNC, 2013)

ReferencesHIPAA (n.d.) HIPAA training handbook for the healthcare staff: An

introduction to confidentiality and privacy under HIPAA. Retrieved from website: http://www.regalmed.com/pdfs/HIPAA_Handbook.pdf

Kongstvedt, P.R. (2007). Essentials of managed health care (5th ed.). MA: Jones and Bartlett Publishers.

U.S. Department of Health & Human Services (2012). Health Information Privacy. Retrieved form U.S. Department of Health and Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

University of North Carolina (UNC) (2013). HIPAA, privacy, & security. Retrieved from website: http://www.unc.edu/hipaa/Annual%20HIPAA%20Training%20current.pdf