HIPAA Training

1
HIPAA Training

• Geary Community Hospital

2
HIPAA Training Module

• Review presentation material
• Print HIPAA quiz
• Complete quiz and fax per instructions
• You must receive 80 minimal passing score for
  completion of HIPAA Orientation Unit.

3
BACKGROUNDRegulations

• The Privacy Rule was adopted under the Health
  Insurance Portability and Accountability Act of
  1996 (HIPAA).
• HIPAA
• Health Insurance Portability
• Accountability Act

4
OVERVIEW What this means to youand our patients

• The privacy rule gives patients more control over
  their Protected Health Information (PHI). So you
  need to know
• Patients rights regarding the use of their PHI
• Key terms and general rules that you can apply
  and,
• When you can share patient information and when
  there are limits to what can be used or shared

5
GENERAL RULESNotice of Privacy Practices

• Health care providers and health plans will give
  out a Notice of Privacy Practices (NPP) that
  describes how we use and share PHI, the patients
  rights, their responsibilities regarding PHI, and
  who to contact for more information.
• It is important that you know our patients
  rights and our responsibilities.

6
Patient Rights

• The Privacy Rule gives patients the right to
• have their PHI protected
• inspect and copy their records
• request that PHI in their records be corrected or
  changed
• ask for limits on how their PHI is used or
  shared
• ask that they be contacted such as at work and
  not at home
• get a list of disclosures made of their PHI.

7
Protected Health Information (PHI) Includes

• Names
• Addresses including Zip Codes
• All Dates
• Telephone Fax Numbers
• E-mail Addresses
• Social Security Numbers
• Medical Record Numbers
• Health Plan Numbers

• License Numbers
• Vehicle Identification Numbers
• Account Numbers
• Biometric Identifiers
• Full Face Photos
• Any Other Unique
• Identifying Number, Characteristic or Code

8
Protected Health Information, Use and Disclosure

• Protected Health Information (PHI) includes
  information
• sent or stored in any form
• that identifies the patient or can be used to
  identify the patient
• that is created or received by a covered entity
• that generally is about a patients past, present
  and/or future treatment and payment of services.
• Use generally refers to how PHI is handled by
  us.
• Disclosure generally refers to how PHI is
  shared externally.

9
Treatment, Payment and Health Care Operations
(TPO)

• Treatment various activities related to patient
  care.
• Payment various activities related to paying
  for or getting paid for health care services.
• Health Care Operations generally refers to
  day-to-day activities of a covered entity, such
  as planning, management, training, improving
  quality, providing services, and education.

10
TREATMENTWritten Permission IS NOT Needed

• There are many myths about when patient
  permission is needed. Written permission is not
  needed
• to use or share PHI to treat a patient, get paid
  for treatment or to evaluate the person who
  provided treatment (TPO)
• to share PHI with that patient
• for public health purposes, such as to report
  births and deaths
• for disclosure to our vendors for TPO under a
  written contract.

11
When Written PermissionIS NOT Needed -Contd.

• As required by law.
• To report abuse or neglect.
• For law enforcement.
• For organ donation organizations.
• To medical examiners and funeral directors.
• To avoid threats to health and safety.
• For certain research activities if the IRB has
  granted a waiver.

12
GENERAL RULES When Written Permission IS Needed

• Patient permission or authorization is needed
  to use or share PHI for certain marketing and
  fund-raising activities.
• For example A doctor cannot give a diaper
  company the names of pregnant patients without an
  authorization.

13
GENERAL RULES When Written Permission IS Needed
- contd

• Patient permission or authorization is needed
  to use or share PHI for research.
• For example A researcher cannot enroll a
  patient in a study without an authorization that
  includes what the PHI will be used for, who can
  use it and for how long.

14
GENERAL RULES When the Patient Needs the Option
to Decide

• Patients are allowed to decide (written
  permission is not needed) if they want some or
  all of their PHI to be used or shared, such as
• for patient directories
• and to friends and family members involved in
  patient care or payment.

15
GENERAL RULES Minimum Necessary

• Generally, the amount of PHI used, shared,
  accessed or requested must be limited to only
  what is needed.
• For example When a billing company bills for a
  blood test, it does not need the patients
  complete medical record.
• In some cases, this rule does not apply, such as
  when PHI is shared among health care providers
  for treatment.

16
GENERAL RULES Minimum Necessary

• Workers should have only such PHI as their job
  responsibilities require.
• For example
• Someone who delivers food trays to patients
  may need PHI about the patients diet, but does
  not need to know why the patient is in the
  hospital.

17
GENERAL RULES Incidental Disclosures

• Take steps or reasonable safeguards to secure
  and protect PHI.
• For example
• Speak in soft tones when discussing PHI
• Do not discuss PHI in public hallways or in
  elevators
• Use (but do not share) computer passwords
• Lock cabinets that store PHI

18
GENERAL RULES Incidental Disclosures

• Incidental Disclosure generally refers to a
  sharing of PHI that occurs related to an
  allowable disclosure of PHI. An incidental
  disclosure is allowed if steps are taken to
  limit them.
• For example, visitors may hear a patients
  name as its called out in a waiting room or
  overhear a clinical discussion as they are
  walking down a hallway on the unit.

19
GENERAL RULES If Protections Are in Place

• You can talk with other providers or patients,
  even if you may be overheard
• .You can orally arrange services at nursing
  stations.
• You can discuss a patients condition with the
  patient, other providers or family members over
  the phone or in a patients semi-private room.

20
GENERAL RULES If Protections Are in Place

• You can talk about patient conditions in our
  education programs.
• Prescriptions can be discussed by the patient
  over a drugstore counter or by you or the patient
  by phone.
• Messages can be left on answering machines or
  with those who answer the phone, but the message
  should be limited to minimum necessary and
  sensitive information should not be used.

21
GENERAL RULES If Protections Are in Place

• Charts at bedsides or outside exam rooms are
  allowed, but consider having them face backwards.
  
• Patient care signs are allowed, such as for diet
  needs.
• X-ray boards and whiteboards are allowed.
• PHI can be shared in group therapy settings for
  treatment.

22
GENERAL RULESPenalties for Violating the Privacy
Rule

• The privacy regulations penalties include
• Civil penalties of 100 per person for each
  violation, with a 25,000 limit per calendar year
  
• Criminal penalties up to 250,000 and 10 years
  in jail.
• GCH policies include disciplinary action up to
  and including discharge.

23
Frequently Asked Questions PHI - Protected Health
Information

• A No. HIPAA protects more than the official
  medical record. A great deal of other
  information is also considered PHI, such as
  billing and demographic data. Even the
  information that a person is a patient here is
  Protected Health Information.

• Q Is PHI the same as the medical record?

24
Frequently Asked Questions PHI - Protected Health
Information

• A It is not a violation as long as you were
  taking reasonable precautions and were discussing
  the protected health information for a legitimate
  purpose. The HIPAA privacy rule is not meant to
  prevent care providers from communicating with
  each other and their patients during the course
  of treatment. These "incidental disclosures" are
  allowed under HIPAA.

• Q What if Im accidentally overheard discussing
  a patients PHI record?

25
Frequently Asked Questions PHI - Protected Health
Information

• Q If I overhear patient care information in the
  elevator or in the hallway, how should I handle
  it?

• A If it seems appropriate, remind the speakers
  of the policy in private. If the conversation
  clearly violates policies or regulations, report
  it to the Privacy Officer.

26
Frequently Asked Questions PHI - Protected Health
Information

• Q I work in the hospital and don't need to
  access PHI for my job, but every now and then a
  patients family member asks me about a patient.
  What should I do?

• A Explain that you do not have access to that
  information, and refer the individual to the
  patients health care provider.

27
Frequently Asked Questions PHI - Protected Health
Information

• Q I know that patients have a right to their
  PHI. What about parents and guardians of
  incompetent patients?

• A If someone other than the patient has the
  legal right to make health care decisions for the
  patient, that person is the patient's personal
  representative and has the right to access the
  patient's PHI. However, if you have good reason
  to believe that informing the personal
  representative could result in harm to the
  patient or others, then you do not have to
  disclose the PHI

28
Frequently Asked Questions PHI - Protected Health
Information

• Q What should I do if a government agency or law
  enforcement person requests information about a
  patient?

• A If working with law enforcement is not part of
  your responsibility, contact your supervisor. If
  it is your responsibility, provide only the
  minimum amount necessary to support the
  investigation after verification of the authority
  of the individual or organization making the
  request. Please see the Verification section
  for more information, and always consult your
  supervisor or the Privacy Officer if youre not
  sure what to do. The privacy rules are very
  specific in this area so please contact Kourtni
  Rapp, GCH Privacy Officer.
• 210-3370

29
Frequently Asked Questions PHI - Protected Health
Information

• Q As part of my job, I have access to a
  patients PHI. How do I know which family and
  friends can be told this information?

• A Always ask the patient who can receive this
  information and document the patients response
  in the medical record.

30
Frequently Asked Questions PHI - Protected Health
Information

• Q When I am speaking to a patient, and friends
  or family members are in the treatment room, do I
  assume the patient has given me permission to
  speak of the PHI in front of these persons or do
  I need to ask them to leave?

• A It is proper to speak, unless the patient
  objects. If you are uncertain, you can ask the
  patient if it okay to discuss their PHI in front
  of the person.

31
Frequently Asked Questions PHI - Protected Health
Information

• Q If the patient is not conscious, to whom can
  we disclose the PHI?

• A You will have to decide this on a case-by-case
  basis. If you know the patient's preferences, as
  in you can tell my spouse, but not my sister,
  then document the request and follow it.
  Otherwise, use your professional judgment.
  Always use the Minimum Necessary standard
  disclose only information that is directly
  relevant to the person's involvement with the
  patient's health care.Once a patient has
  regained consciousness, he or she will determine
  when and how we can share protected information.

32
Frequently Asked Questions PHI - Protected Health
Information

• Q What if I get approached by an individual who
  just says hes a friend of a patient?

• A Check to see if this individual has been
  approved by the patient for disclosure of PHI. If
  so, ask for one or more pieces of identification,
  including a picture ID.

33
Frequently Asked Questions PHI - Protected Health
Information

• A If you are asked to phone or leave
  confidential information via voice mail, for
  example, you should verify with the patient or
  other approved individual that it is okay to
  leave messages this way. Make sure you confirm
  the number. Your unit may have more restrictive
  policies, so check with your supervisor or
  department head.

• Q What about requests to leave information on
  voice mail or an answering machine?

34
Frequently Asked Questions PHI - Protected Health
Information

• Q What if I find a fax went to a wrong number?

• A In the event you find that a fax went to a
  wrong number, try to retrieve the communications
  containing the PHI that were faxed to the wrong
  number, or ensure that they have been destroyed
  in a secure fashion