Health Insurance Portability and Accountability Act HIPAA

1
Health Insurance Portability and Accountability
Act (HIPAA)

• 2007 Housestaff Orientation

Deborah Yano-Fong, RN MSN, Chief Privacy Officer
2
What do you know about HIPAA and why is it
important?
3
Advanced Provider HIPAA Training

• Review Advanced Provider Module
  http//www.ucsf.edu/hipaa/
• Read HIPAA Handbook (in your packet)
• Sign Confidentiality Statement and turn it in to
  your Department Manager
• Read Notice of Privacy Practices (NOPP) booklet
  http//www.ucsfhealth.org/common/3-03ucsfhipaa.pdf
  

4
What do I need to know about HIPAA to survive at
UCSF?

• To protect the privacy and security of an
  individuals Protected Health Information (PHI)
• Use minimum necessary for patient information
• National Provider Identification (NPI)
• How to find answers to your HIPAA and security
  related questions

5
Patient HIPAA Rights can be Hot Spots for
Providers

• HIPAA Patient Rights
• To restrict use and disclosure of their PHI
• To request amendments to their PHI
• To file complaints with UCSF, UCOP and OCR that
  may result in civil and criminal penalties for
  individuals as well as the healthcare
  organization
• To request Accounting of Disclosure
• To inspect and receive a copy of their medical
  record
• To request confidential communication

6
Provider Dos and Donts

• Dont
• Agree to patients request for restriction of
  access to their medical record
• Agree to patients request for an amendment to
  their medical record
• Do
• Refer patients request for restriction or
  amendment of the medical record to Patient
  Relations or HIMS
• Patient Relations and HIMS must evaluate and
  coordinate all requests for restriction or
  amendment of medical records

7
Why Should We as Providers Care about PHI?

• Recent studies show that a person who does not
  believe that their privacy will be protected is
  much less likely to participate fully in the
  diagnosis and treatment of their medical
  condition.
• 1 in 6 Americans reported that they have taken
  some sort of evasive action to avoid the
  inappropriate use of their information by
  providing inaccurate information to a healthcare
  provider, changing physicians or avoiding care
  altogether

8
National Provider Identification (NPI)

• Getting an NPI is free
• Not having one can be costly
• If you do not already have an NPI, contact
• Department Manager
• Credentialing Manager
• Michael Delane
• Faculty Medical Group
• delanem_at_ucsfmg.ucsf.edu

9
National Plan and Provider Enumeration System
(NPPES)

• Data that a provider is required to give when
  applying for an NPI
• Becomes public information downloadable from the
  internet as of 6/28/2007
• By law providers must update their NPPES data
  within 30 days of any change.
• https//nppes.cms.hhs.gov/NPPES/StaticForward.do?
  forwardstatic.npistart

10
PHI is Everywhere

• Desktop computer
• Laptops
• Memory Sticks
• Text pagers
• Memory sticks
• PDAs
• Cell Phones
• Conversations
• Paper records/notes

11
Key to Your Survival is Control of Information
Access

• Limit discussion in public areas
• Protect your e-devices
• Remove all Personal Identifiers whenever possible
• Shred paperwork

12
Protect your computers and mobile eDevices

• Backup all confidential information on a UCSF
  protected server
• Password Protection
• Encryption
• Delete old files
• Create back-up file and store separate from
  computer/mobile e-device
• Access UCSF network using an approved, secure
  means
• VPN
• Its.ucsf.edu/services/network

13
Secure E-Mail is easy to use!

• Use only for sending email from UCSF
• Type in the email Subject Line the word Secure

Secure
UCSF
14
Report Computer Security Issues

• Report erratic computer behavior or unusual
  e-mails to IT

• Report lost/stolen e-devices to UCSF Police
  immediately

15
HIPAA Violations can carry Penalties

• Criminal Penalties
• Civil Monetary Penalties
• Jail Terms
• Fines Penalties Violation of State Law
• UCSF corrective disciplinary action

16
UCSF Resources
Where to go for

• Your Department Manager or IT support person
• UCSF Privacy Officer
• deborah.yano-fong_at_ucsfmedctr.org
• UCSF Information Security Officer (Medical
  Center)
• jose.claudio_at_ucsfmedctr.org
• UCSF Information Security Officer (Campus)
• ctianen_at_its.ucsf.edu
• Security Training
• Tiki Maxwell 514-1363
• UCSF HIPAA Handbook
• www.ucsf.edu/hipaa

17
Scenario 1

• A Workers Comp Insurance company contracts with
  your department for an evaluation of a patient.
  The contract specifies that the report is to be
  sent only to the company and not to the patient
  as the insurance company is paying for the exam.
  Upon completion of the exam, the patient requests
  a copy of the report.
• What do you tell the patient?

18
Scenario 2

• A patient arrives in the ED and states that he
  has been seen at another ED two times in the last
  24 hours for abdominal pain. He now presents with
  increased abdominal pain. You diagnose him with a
  bowel obstruction, and he goes to the OR for
  surgery. You know the MD at the other hospital
  and want to inform him about what happened to
  this patient.
• Should you contact the MD at the other ED?

19
Remember Protection of PHI is Your Responsibility

• By protecting yourself, you are also protecting
  your patients.