HIPAA Level One Training

1
HIPAALevel One Training

• Level 1

2
Objectives

• Define HIPAA
• Training Requirements
• Define PHI
• PHI Identifiers
• Requesting Restrictions
• Discarding PHI
• Email, Internet Fax Policies
• Minimum Necessary Policy
• Media Guidelines
• Complaints/Violations
• Sanctions

HIPAA
3
Level I Training Requirements

• The entire workforce must be trained in level I
  including students, volunteers, and agency staff

4
Training Requirements Level Two
All staff defined by the minimum Necessary policy
must attend. This includes all patient care
staff, compliance officers, admitting,
physicians, billing staff, and medical records
staff, etc.
HIPAA
5
Training Requirements Level ThreeBoard, med
exec, VP, CEO, COO, CNO, etc.
6
What is HIPAA?

• Health Insurance Portability and Accountability
  Act of 1996
• Strongest confidentiality protection ever enacted
• Affects any information transmitted orally,
  written or
  electronically
• HIPAA is enforced by The
• Office of Civil Rights
• The HIPAA Police

HIPAA POLICE
7
Acronyms

• HIPAA Health Insurance Portability and
  Accountability Act
• NPP Notice of Privacy Practice
• PHI Protected Health Information
• TPO Treatment, Payment or Health Care
  Operations

8
The Three Rs of HIPAA
9
What Is PHI?(Protected Health Information)

• A persons personal protected health
  information that is used to render care and bill
  for services provided.
• Individually identifiable health information
  that is transmitted or maintained by electronic
  media or in any other form or medium.
• Applies to all patients, both living and
  deceased.

10
Protected Health Information

• (This list is not inclusive.)
• PATIENT NAME
• SOCIAL SECURITY NUMBER
• BIRTHDATE
• ADDRESS
• ACCOUNT NUMBER
• MEDICAL RECORD NUMBER
• DIAGNOSES
• EMAIL ADDRESS
• EMPLOYER
• MEDICAL TESTS
• PRESCRIPTIONS
• TELEPHONE NUMBER

11
Notice of Privacy Practices
NOTICE OF PRIVACY PRACTICES IS GIVEN TO EVERY
PATIENT PRIOR TO SERVICES RENDERED.
12
Notice of Privacy Practices

• Identifies uses and disclosures of PHI by the
  facility
• Rights of the Patient
• Inspect and copy their PHI
• Amend their PHI
• Receive an accounting regarding disclosure of PHI
• Request restrictions to PHI
• Request confidential communications of PHI
• Obtain a paper copy of this notice
• Report a complaint

13
Things to Remember

• All patients, employees, volunteers sign
• confidentiality agreements.
• Patients have a right to control who will have
  access to their medical information.
• It is a breach of confidentiality to take
  pictures of patients or facility events that
  include patients.
• Taking pictures for treatment purposes to be
  included in the medical record does not require
  documentation
• Every person views a patient record must record
  that he/she has seen the file

14
More Things to Remember

• Privacy policies apply even after employment or
  student experience ends.
• Patients have a right to request restrictions,
  however, do not automatically agree to requested
  restrictions. Restrictions must go through
  process of approval

15
Minimum Necessary Policy
HIPAA requires that each health care provider
make reasonable efforts to limit the use or
disclosure of Protected Health Information
(PHI) to the minimum necessary to accomplish
the intended purpose.

• Before you ask someone for patient information,
  always ask yourself, Do I need to know this to
  do my job? If the answer is Yes, then no need
  to worry. If the answer is No, then STOP!

16
Use and Disclosure of PHI

• Permitted for TPO
• Treatment
• Payment
• Health Care Operations
• Additional permitted disclosures (Not all
  inclusive)
• Law Enforcement
• Judicial and Administrative Proceedings
• Health Oversight Activities
• Business Associates

17
Use and Disclosure of PHI

• Patient Directory Information
• If someone inquires about a patient by name, the
  facility will provide the location and their
  general condition.
• Celebrities and other public officials are
  subject to the same standards
• Patient has the right to opt out of the patient
  directory information.
• general conditions include Good, Fair,
  Serious, Critical
• Clergy will be given patient name religious
  affiliation.

18
Use and Disclosure of PHI

• Disclosure of PHI to Individuals Other than
  Patient
• ANY ALL information regarding a patient is
  considered PHI.
• When patients provide information to their
  providers, they expect that only people who are
  caring for them will have access to it and that
  it will only be used in providing care for them.
• Even releasing unsolicited information that a
  person is a patient at an HHS facility or clinic
  is considered a violation.

19
Use and Disclosure of PHI

• Only patient directory information can be
  provided to visitors unless they are actively
  participating in the care of the patient, such as
  immediate family members, etc. When in doubt,
  ask the patient or the patients representative
  for approval.
• What patients discuss with you about their
  condition may not be inappropriately passed on.
• Limit all patient related conversations in public
  areas (halls, nursing stations, elevators,
  cafeteria, restrooms)
• If you overhear conversation regarding a patient,
  let them know you can hear them and remind them
  of HIPAA policy.

20
Use and Disclosure of PHI

• To Someone Involved in Individuals Care
• Family Member, relative, close friend, or other
  person identified by patient or patients
  representative
• Disclose PHI relevant to involvement with
  individuals care
• Obtain individuals agreement
• Emergency exception using professional judgment
• Disaster Relief Purposes
• To public or private entity for disaster relief
  efforts. Check with facility privacy officer for
  protocol.

21
Use and Disclosure of PHI

• Minors
• Parents / Guardians access to minors PHI unless
  State law is more stringent
• Loco Parentis Acting as parent (State Laws
  apply)
• Emancipated minors have control of their PHI
• State Laws that are more stringent supercede
  HIPAA Laws

22
Protected Health Information
Protecting confidential information is a
responsibility that the entire workforce shares,
including volunteers, regardless of whether or
not they are caring for patients.
23
How To Trash Your Work!

• All trash that contains PHI including brief
  handwritten notes is PRIVATE and must be
  DESTROYED.
• If you see/find PHI in the trash, you are
  REQUIRED to report this to your supervisor or
  facility privacy officer.
• PHI also includes patient information that has
  been stored on computer disks. These computer
  disks CAN NOT be thrown in the trash. They must
  be destroyed if no longer needed.
• Cross-cut shredder
• Locked box

24
How To Trash Your Work

• ITEMS YOU THROW AWAY EVERY DAY THAT MAY CONTAIN
  PHI
• 1.     __________________________
• 2.     __________________________
• 3.     __________________________
• 4.     ___________________________
• 5.     ___________________________
• 6.     ____________________________
• 7.     ____________________________
• 8.     _____________________________
• 9.     _____________________________
• 10. ___________________________

25
Email Confidential Notice

• Confidentiality Statement For Email
• All out-going e-mails should contain the
  following confidentiality notice at the end of
  the message
• IMPORTANT NOTICE
• This message is intended only for the use of the
  individual or entity to which it is addressed and
  may contain information that is privileged,
  confidential and exempt from disclosure under
  applicable law. If you have received this
  message in error, you are hereby notified that we
  do not consent to any reading, dissemination,
  distribution or copying of this message. If you
  have received this communication in error, please
  notify the sender immediately and destroy the
  transmitted information.

26
Fax Confidentiality Notice

• IMPORTANT This facsimile is intended only for
  the use of the individual or entity to which it
  is addressed, and may contain information that is
  privileged, confidential and exempt from
  disclosure under applicable law. If you have
  received this facsimile in error, you are hereby
  notified that we do not consent to any reading,
  dissemination, distribution or copying of this
  facsimile. If you have received this
  communication in error, please notify the sender
  immediately by telephone at (___) _______-_______
  and destroy the transmitted information.
  Violators may be prosecuted.

27
Reporting Suspected Violations

• Patient - Patient Complaint Form
• Work Staff
• Contact your facility privacy official
• Call 1-888-55-ISSUE

Ive been violated!
28
PENALTIES FOR VIOLATING

• Civil
• Innocently
• Unintentionally
• Criminal
• Knowingly
• With Intent
• These penalties apply to the employee or the
  facility or both

29
CIVIL PENALTIES

• 100 for each violation
• Up to 25,000/yr for all violations of an
  identical regulation

30
CRIMINAL PENALTIES

• Knowingly releasing patient information in
  violation of HIPAA
• 50,000 fine or 1 yr. jail sentence or both
• Gaining access to health information under false
  pretenses
• 100,000 or 5 yr. jail sentence or both
• Releasing patient information with harmful intent
• 250,000 or 10 yr. jail sentence or both

31
The End