HIPAA Privacy Training

1
HIPAA Privacy Training

• Health Insurance Portability Accountability Act
  of 1996
• Standards for Privacy of Individually
  Identifiable Health Information
• 45 CFR Parts 160 and 164

2
The Privacy Rule

• Creates national foundation of privacy
• Does not preempt more stringent state laws
• Extends
• Certain individual rights to privacy
• Protection of individuals medical records and
  health information

3
Whos affected?

• Direct impact
• Health plans
• Health care clearinghouses
• Health care providers
• (who transmit health information electronically)
• Indirect impact
• Business associates
• (vendors, consultants, contractors)

4
Whats protected?

• Protected health information (PHI) refers to
• Individually identifiable health information
  relating to
• - Persons past, present and future health or
  condition
• - Provision of health services to the person
• - Past, present and future payment for health
  services to the person
• Information transmitted or maintained in any form
• Includes data considered individually
  identifiable

5
Whats individually identifiable?

• Name
• Geographic divisions smaller than State (with
  exceptions)
• All dates (except year)
• Phone fax number
• E-mail address
• SSN
• Medical record
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers

• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (including finger, voice
  prints)
• Full face photo and other images
• Any other unique identifier
• 164.514(b)(2)

6
Rules for Use or Disclosure of PHI

• Treatment, Payment, Health Care Operations (TPO)
• Opportunity to Object
• Agreement or Authorization not required
  (Exceptions)
• Authorization

7
Permitted Uses of PHI

• Use or disclosure permitted for
• Treatment
• Some facilities may still require patient
  authorization for release of PHI
• Payment
• Health care operations
• (quality improvement, staff performance review,
  training in areas of health care, accreditation,
  medical review, audits, business planning and
  development, general administration, etc.)

8
Opportunity to Object

• Facility directories
• To clergy
• To persons involved in individuals care
• Notification purposes
• Disaster relief purposes

9
Agreement or Authorization Not Required
(Exceptions)

• Required by law
• Public health activities
• Victims of abuse/ neglect/domestic violence
• Health oversight
• Judicial/administrative proceedings
• Limited law enforcement purposes

• Coroners, medical examiners funeral directors
• Organ/tissue donations
• Research purposes
• Serious threat to self/ others
• Specialized government functions
• Workers comp

10
Authorizations

• For all other uses or disclosures of PHI

11
Notice of Privacy Practices

• Describes to patient how his/her protected health
  information may be used or disclosed
• Details patients legal rights with regard to own
  PHI and how to exercise those rights
• Details legal obligations of Covered Entity to
  protect PHI

12
Individuals Rights

• To receive Notice of Privacy Practices
• To inspect and/or obtain copy of PHI
• To request to amend PHI
• To request limits on certain uses or disclosures
  of PHI
• To receive accounting of disclosures
• To receive confidential communications
• To file a complaint

13
Other Requirements

• De-identification of PHI
• Minimum necessary
• Workforce training
• Verification process
• Business Associate Contract

14
Other Restrictions

• Marketing
• Fundraising
• Specially Protected Health Information
• Additional protections under Hawaii State law
  relating to release of HIV, mental health and
  substance abuse treatment records

15
Consequences of Non-compliance

• Penalties
• Civil 100 per violation up to 25,000 per year
• Criminal Up to 250,000 and/or 10 years in prison

16
Sanctions

• A facility is required to sanction members of
  workforce (including students) who violate
  policies and procedures relating to privacy and
  security of health information
• Student sanctions may include suspension or
  termination of access privileges to PHI and/or
  participation in educational programs at facility

17
What You Need to Know About Each Facility

• Facility Directory
• Family Involvement
• Minimum Necessary
• Appropriate Educational Access/Use
• Requesting/Disclosing PHI for Treatment
• Request/Disclosures to Govt. Agencies
• Patients Request to Restrict Use or Disclosure

18
What is a Facility Directory?

• The information about a patient that a hospital
  releases to callers, visitors or the media
• This information is limited to
• Location
• Condition
• May only release directory information to people
  who ask for patient BY NAME

19
Facility Directory

• Patient may ask that NO INFORMATION be released
  to callers, visitors or media
• Each hospital has procedures for patients with NO
  INFORMATION status
• You must be aware of the hospitals procedures
• Do NOT release information in violation of
  patients information status

20
Facility Directory

• NO INFORMATION Status
• PATIENTS LOCATION/CONDITION WILL NOT BE
  DISCLOSED TO ANYONE, INCLUDING FAMILY OR FRIENDS
• Anyone asking for patient will be told, We have
  no information regarding the individual.

21
What should I do?

• Scenario 1
• Q I am approached in the hallway by someone who
  asks me if I know what room a patient is in. I
  saw the patients name on the unit I just left.
  What should I do?
• A Refer the person to the nurses station,
  information desk, or hospital operator. You do
  not know whether the patient has requested a NO
  INFORMATION status or other restrictions.

22
Family Involvement

• A patients health information may be disclosed
  to family, friends or others if
• Patient gives verbal agreement,
• Patient has opportunity to object and does not,
  or
• You can infer from circumstances that patient
  does not object
• Emergency/incompetent patient - Release
  information using professional judgement about
  best interests of patient

23
Family Involvement

• Information released must be directly relevant to
  that persons involvement in the patients care
  or payment for that care
• A patient has the right to request that you not
  release information to family or others
• If a patient asks that you not talk with family
  or others, inform nursing staff of the patients
  request

24
What should I do?

• Scenario 2
• Q The spouse of a patient I am seeing approaches
  me in the hallway and begins asking me questions
  about the patient. During my assessment visit,
  the patient indicated that she did not want
  information shared with her spouse.
• What should I do?
• A A patient has a right to not involve family
  members or others in his/her care. You should
  not share any information with the spouse per the
  patients request and you should alert the
  nursing staff about the patients request.

25
Minimum Necessary

• Need-to-Know Rule
• Access to information is a privilege.
  Individuals who are granted access have an
  obligation to limit access and use to the minimum
  necessary to perform their duties and
  responsibilities.

26
Request/Disclose PHI for Treatment Purposes

• May request/disclose PHI for treatment when
• Request is from a provider to whom you referred
  patient for treatment, or providers involvement
  in patients treatment is documented in medical
  record, or
• Patient has signed an authorization or release
  for the disclosure to the provider, or
• Provider has requested, in writing, the PHI for
  treatment purposes

27
Request/Disclosure of PHI to/from Government
Agencies

• Refer to nursing staff, attending physician or
  Privacy Officer
• Only minimum necessary may be released
• Must complete an accounting for the disclosure

28
Patients Request to Restrict Use or Disclosure
of PHI

• Facility may agree to patients request to
  restrict use or disclosure of PHI for treatment,
  payment or health care operations
• You must be aware of facilitys procedures and
  where such restrictions would be documented

29
Use of PHI for Educational Purposes

• Allowed without patient consent or authorization
• Parameters of use or disclosure of PHI for
  educational purposes
• Appropriate access
• Minimum necessary for the purpose
• Protect and safeguard PHI
• Appropriate disposal upon completion

30
Facially De-identified Information

• Use of facially de-identified PHI is permitted
  for educational purposes
• Remove all individual identifiers, except
• Patients medical record number
• Dates of service
• Zip code
• This information is still considered PHI, and
  remains under federal privacy protections

31
Facially de-identified means removing

• Name
• Address
• Phone fax number
• E-mail address
• SSN
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Web URLs

• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• IP address numbers
• Biometric identifiers (including finger, voice
  prints)
• Full face photo and other images
• Any other unique identifier

32
Allowable Educational Access/Use

• Treatment
• Observation
• Teaching Rounds
• Retrospective Record or Data Reviews
• Research (with IRB approval)
• Case Presentations
• Patient Logs

33
Is this okay?

• Scenario 3
• Q I heard about a very unusual case in the OR.
  As a medical student, I am here to learn. I need
  to know more about the details so I can gain a
  better understanding of the clinical course. I
  plan to review the records before I leave for the
  day. Is this okay?
• A No. While it might be argued that
  educational benefit can be gained by reviewing
  unusual cases, such review should be formally
  approved and presented. Individual access to
  patient records in this type of situation is not
  appropriate. Electronic records and systems are
  monitored for inappropriate access.

34
Some Dos and DontsTreatment and Observation

• Cannot Do
• Obtain medical records of patients you are not
  treating/caring for
• Use data (obtained from your cases) that include
  patient identifiers such as name, address, birth
  date
• Observe patient care without appropriate approval
  or when the patient has objected

• Can Do
• Access medical records of the patients you are
  treating/caring for
• Prepare class work with patient identifiers
  removed
• Observe patient care with approval from
  department manager/ supervising faculty

35
Some Dos and DontsTeaching Rounds

• Cannot Do
• Discuss patients in public areas with no
  consideration of surroundings
• Include family members in rounds unless patient
  has agreed, or physician has determined that
  inclusion is in patients best interest

• Can Do
• Share patient information during teaching rounds
• Prepare class work using data from your cases
  with patient identifiers removed

36
Some Dos and DontsRetrospective Reviews

• Can Do
• Access medical records with written approval of
  supervising faculty member
• Prepare class work using collected data with
  patient identifiers removed
• Use aggregate or de-identified patient information

• Cannot Do
• Use information collected for research without
  IRB approval
• Publish or publicly present findings without IRB
  approval or waiver of authorization
• Contact the patient or the patients physician
• Abstract patient identifiers

37
Some Dos and DontsResearch

• Can Do
• With IRB approval
• Build database of patient information
• Access and use patient identifiable information
  as approved by IRB
• Make a public presentation or publish findings
  using aggregate or de-identified information

• Cannot Do
• Any research without IRB approval or waiver
• Publish or publicly present findings that
  identify the patient without patient
  authorization
• Access and collect patient data in preparation
  for a research project without IRB approval or
  waiver

38
What should I do?

• Scenario 4
• Q My supervising faculty member has asked me to
  review 100 charts of newborn babies to determine
  whether or not the delivery room temperature has
  an effect on babies. Do I need IRB approval?
• A Maybe. If the intent is purely for quality
  improvement without intent to publish findings
  and you will destroy the database upon
  completion, then you do not need an IRB approval
  or waiver. But if you intend to publish, present
  or use the data you collected for any other
  purpose and do not have the patients
  authorization or an IRB approval or waiver, you
  would be violating the patients rights.

39
Some Dos and DontsCase Presentations or Grand
Rounds

• Can Do
• Access medical records with written approval of
  supervising faculty member
• Prepare for presentation using facially
  de-identified, aggregate or de-identified
  information
• Limit audience to healthcare students or
  professionals if patients identify might be
  inadvertently revealed

• Cannot Do
• Display or reveal patients name or medical
  record number in your presentation
• Present a high-profile or unusual case that may
  compromise patients privacy without patients
  written authorization for disclosure

40
Patient Logs

• You must facially de-identify all information
  collected and submitted on a Patient Log

41
Some Dos and DontsFacially De-identifying
Patient Data

• Cannot Do
• Leave patient identifiers in information
  used/removed
• Patients or relatives names
• Birth dates
• Address
• Employer
• Take copies of dictated reports home with you
  (unless reports are facially de-identified)

• Can Do
• Use general terms to describe a patient
• 36 year old
• White male
• Living in Arizona
• Admitted in October 2002
• Construction worker
• Black-out, delete or cut-out patient identifiers
  on hard copy

42
Some Dos and DontsAccessing PHI

• Cannot Do
• Remove medical records from facility
• Leave patient records or data in break room or
  other areas that are not secure
• Out of curiosity, access the records of a
  celebrity patient or the records of a patient
  with an unusual medical condition

• Can Do
• Request access to PHI through appropriate
  channels
• Request access to medical records through Medical
  Records
• Submit completed appropriate data request form
  for data reports

43
Is it okay?

• Scenario 5
• Q My friend was admitted yesterday after she
  collapsed during a bike ride. I am very
  concerned about her progress and would like to
  visit, but I dont know which room she is in. Is
  it okay if I look up the information in the
  computer system?
• A No. Using your access privileges to look up
  information about a patient when there is no
  need-to-know (based upon your responsibilities in
  the hospital) is a violation of patient
  confidentiality.

44
Some Dos and DontsSafeguarding Information

• Must Do
• Password-protect laptops or PDAs
• Shred facially de-identified papers when no
  longer needed
• Ensure memory/hard drive has been wiped clean
  when selling/disposing of a PC, laptop or PDA
• Encrypt PHI sent over Internet

• Cannot Do
• Leave information unsecured or in public areas
• Discuss patients in elevator, hallways or
  cafeteria
• Dispose of facially de-identified information
  in trash can (it is still PHI under HIPAA!)
• Share your access codes or cards

45
Questions?

• For further information or questions, please
  contact the facilitys Privacy Officer