Health Insurance Portability & Accountability Act

1
Health Insurance Portability Accountability Act
2
What I will learn from this program

• What is HIPAA
• Who is covered by HIPAA
• Goals of HIPPA
• Definitions
• What is Protected Health Information (PHI),
  Use, and Disclosure
• What are Security Rules
• How does this affect you
• Why comply

3
What is HIPAA

• HIPAA Health Insurance Portability and
  Accountability Act of 1996
• Original Intent was to ensure portability of
  Insurance when employment changes..
• Administrative Simplification
• Standardization of formats, codes and identifiers
• Increased security of electronic health data
• Increased protection of protected health
  information
• Simplify health care administration

4
Who is covered by HIPAA

• Covered entities include
• Health care providers
• Health plans
• Health care clearinghouses

5
Goals of HIPAA

• For Patients
• Control over their information
• The right to see their records and correct any
  mistakes in them.
• The right to know who has seen their information

6
Goals of HIPAA

• For Institutions
• Protect patient information
• Limit use of patient information
• Penalize those who misuse information

7
Definitions

• Protected Health Information Individually
  identifiable health information in any form or
  media. Only authorized people will look at or use
  it for treatment, payment or health care
  operations (TPO)
• Privacy Right of each person to keep certain
  personal information to him or herself, confident
  that only authorized people will look at or use
  it.

8
More Definitions

• Security Protection of information, data and
  systems from accidental or intentional access by
  unauthorized users.
• TPO Treatment, Payment and Operations
• Minimum Necessary Minimum amount of information
  you need to know to do your job.

9
What is Protected Health Information

• Information that identifies a person
• A person who is living or deceased
• Past, present or future health information
• Electronic or paper form, or spoken in
  conversation
• Examples Patient charts, lab reports, x-rays,
  billing systems, nursing notes, phone calls, and
  conversations about patients

10
What Makes Information Identifiable

• Name
• Address
• Phone or fax number
• E-mail address
• Social Security or medical record numbers
• Photos

• Names of relatives
• Voice, finger, retinal prints
• Date of Birth
• Employer
• Insurance account numbers

11
Who can access this information

• The privacy rules of HIPAA limit both the Use
  (how the information is used in the institution),
  and Disclosure (how the information is given
  out to other institutions for use).
• Patients typically give permission for use or
  disclosure of their information by signing a
  written form. Some disclosures are required by
  law, such as reporting of gunshot wounds, child
  abuse, infectious diseases and do not require
  patient permission

12
Internal Use

• Routine access will be limited by job functions
• Need to know, or minimum necessary needed for
  each task
• Example EKG EKG technicians only need the
  information relating to the EKG, would not need
  to see patient progress notes or insurance
  information
• Non-routine access will be limited by policies
  and procedures of each institution

13
Disclosure

• Providing information to those outside of the
  institution
• Types
• Mandatory dog bites, gunshot wounds
• Incidental I accidentally faxed your records to
  the wrong department
• Malicious I steal a list of consumer names and
  addresses to sell as a mailing list.
• Reasonable efforts should be made to give out
  only the least amount of information needed to
  meet the request
• Example Transportation Service a service that
  drives patients to and from appointments would
  only need certain information such as patient
  name, appointment details time/address, contact
  phone number, should not have details on other
  protected health information.

GHC User You may want to use this slide to show
there are different types of disclosure Mandatory
ie dog bites, gunshot wounds etc Incidental I
accidentally faxed your records to the wrong
department. Malishes ?spelling? When I steal a
list of consumer names and addresses to sell as a
mailing list. All of these must be accounted for.
14
Security Rules

• Protect the systems that store protected Health
  information The hardware and software
• Systems must be protected so that unauthorized
  people cannot get to the information. Ex
  Computer systems will require you to change your
  password every so often to protect against
  someone else gaining access to the system using
  your password.

15
Security Rules (Continued)

• Protect Information itself from unauthorized use
  and misuse by those allowed to view the PHI
• Ex a famous person, co-worker, or family member
  is a patient, can you check to see how he or she
  is doing? No! If you are not involved in the
  patients care you cannot view the information.

16
Summary of Privacy and Security Rules

• Patients have the right to control their
  information
• Institutions will limit the use and disclosure of
  information
• Institutions will protect information on the
  computer

17
So Whats New About This Law

• Sounds like what we have been doing all along,
  Privacy has always been a priority.
• Now the government has decided what the basic
  requirements are for protection of patient
  information and Institutions are being held
  accountable
• Patients can be more confident that their
  information will be kept private

18
Privacy. Why?

• A Tampa Florida man stole a list of 4,000
  HIV-positive patients from a state health worker
  and sent the list to the Tampa Tribune, which did
  not publish it. The man was found guilty and
  sentenced to jail
• New York congressional candidate's past suicide
  attempt was made public during a campaign. She
  won the election and sued the hospital for
  failing to maintain the confidentiality of her
  medical records
• An employee of a large Blue Cross/Blue Shield
  plan obtained unauthorized access to the medical
  records of the ex-wife of a friend and sent them
  to his friend.

19
How Does HIPAA Affect You

• Faculty and Students are held to the same
  obligations and accountability as employees, they
  are seen as part of the workforce under
  affiliation agreements
• Whether you work directly with patients or not,
  you may find yourself in situations involving
  patient information. What do you do?

20
Protecting Spoken InformationWhat do you do?

• Youve just made it through a long line in the
  cafeteria and scored an empty table. As you
  settle in to enjoy your lunch, you can hear 2
  co-workers discussing a patient

21
Response

• Remind them that confidentiality is important,
  public areas may be convenient but when it comes
  to PHI they are not good choices.
• Find a private space if your job requires you to
  talk about patient information.
• Do Not Discuss Patient Information in Public
  Areas!

22
What do you do?

• One day you walk by a room and see someone you
  know. She is not looking well and she seems to be
  by herself. You want to express your concern and
  see if you can help.

23
Response

• Respecting privacy doesnt mean you have to
  ignore someone you know. But dont ask for
  Personal Health Information
• She can tell you about her illness, but you cant
  ask, and if told you cannot repeat the
  information you hear.
• Unless you are involved in the patients care you
  do not have the right to ask for information or
  even tell others people who the patients are.
• Dont Ask For Information Even If You Know The
  Person!

24
What do you do?

• Lets say you entered a patients room to explain
  a procedure. The patient has several visitors in
  the room who may or may not be family.

25
Response

• Before entering the patients room, you should
  first knock and ask permission to enter.
• If other people are in the room ask permission
  from the patient to talk about his or her care
  with visitors present.
• Ask Permission From Patient

26
What do you do?

• You are walking down the hall and are stopped by
  a visitor to get directions

27
Response

• If you can give a visitor directions without
  asking for personal health information you are
  being courteous and respectful of patient privacy
• If it is not clear where the visitor is supposed
  to go or if asked about a patients condition
  direct them to the information desk.
• Be Courteous and Direct Visitors to the
  Information Desk

28
Protecting Spoken Information

• Around Patient Rooms
• Knock first and ask to enter
• Close doors or curtains when talking about
  treatments or doing procedures
• Speak softly in semi-private rooms
• In Public Areas
• Dont talk about patients
• Direct Visitors to the information desk
• Dont leave messages on answering machines about
  patient conditions

29
Protecting Written InformationWhat do you do?

• Suppose you enter a conference room and find
  papers with patient information left on the table

30
Response

• Papers that have Protected Health Information
  should be returned to the person who left them.
  If you cant find the owner of the papers, give
  them to your supervisor for shredding.
• Find The Owner Of Lost Papers Or Give Them to
  Your Supervisor

31
What do you do?

• Suppose you work in an area where several people
  share a fax machine in a lounge. While you are in
  the lounge a fax including PHI arrives but no one
  comes to get it. Later that afternoon you notice
  the fax is still there.

32
Response

• Tell your supervisor about the fax
• If you are someone who shares a fax or printer,
  it is your duty to pick up papers right away.
• Fax machines and printers are best located in a
  private area, away from public view.
• Dont Leave Papers With Medical Information
  Unattended

33
Protecting Written Information

• Find the owner of lost papers
• Shred Information no longer needed
• Dont leave papers unattended
• Keep information away from public view

34
Protecting Electronic Information

• Keep computer screens pointed away from public
• Never leave patient information in public areas
  unattended
• Log-off workstations when leaving the area
• You Are Responsible For Any Activity On The
  Computer That Is Made With Your User Name

35
Protecting Electronic Information

• Protect Your Password
• Dont share it with anyone
• Never write it down
• Dont say it out loud
• Dont e-mail it
• Report any misuse or problems with your password

36
Protecting Electronic Information

• Handhelds and Laptops
• Prevent loss or theft of equipment-never leave
  this equipment unattended
• Use Passwords to protect information
• Close programs when not in use

37
Why Should We Comply

• It is the right thing to do.
• Patients have rights to privacy
• It improves the quality of care
• It is good business
• Disciplinary Action
• Can range from counseling to final written
  warning to termination
• Repeated offenses can result in more severe
  discipline
• Penalties
• Civil and Criminal Penalties
• Against both the individual and the institution

38
Consequences for Noncompliance

• Violations
• Wrongful disclosures
• Gaining access by false pretenses
• Intent to sell, transfer or use

• Penalties
• Up to 50,000 up to 1 year in prison
• Up to 100,000 up to 5 years in prison
• Up to 250,000 up to 10 years in prison

39
Enforcement of HIPAA

• The Office for Civil Rights has been charged with
  enforcing HIPAA privacy regulation

40
Questions About Privacy

• In some situations it is not clear whether
  privacy rules apply or what the best way to
  handle the situation
• HIPAA was never meant to interfere with patient
  care
• If questions come up or you dont know what to do
  ask your supervisor
• When in Doubt Ask!

41
A Parting Thought

• If your loved one was a patient wouldnt you want
  your familys privacy to be protected by the
  people caring for him or her?

42
Resources

• Federal Register August 14th, 2002 Notice
  http//www.hipaapro.com/news/hipaa_downloads.cfm
• Federal Register February 20th, 2003 Notice
  http//www.hipaapro.com/news/hipaa_downloads.cfm
• HHS Office of Civil Rights HIPAA Page
  www.hhs.gov/ocr/hipaa/