How you can do your partHIPAA COMPLIANCE

Basic HIPAA information............................... Slides 3-7

Training Scenarios....................................... Slides 8-18

Conclusion ................................................. Slide 19-20

References ................................................ Slide 21

LECTURE OVERVIEW

Health Insurance Portability and Accountability Act

Established in 1996

2 Main parts: Privacy and Security

Privacy Basics Standards developed to “address the use and disclosure of

individual’s health information or Protected Health information (PHI)” (3)

WHAT IS HIPAA

ALL employees of the organization must follow HIPAA Privacy Rules

WHO MUST COMPLY WITH HIPAA

Figure 1

Basic Definition: identifiable health related information about an individual

3 elements of PHI(1):

Individual is identified

Health conditions or related information (e.g. Legal proceedings)

Information is held by a Covered Entity (CE)

WHAT TO SAFEGUARD: PROTECTED HEALTH INFORMATION

US Dept of Health and Human Services states the Privacy Rule’s “Basic Principle”: (3) “ ...purpose is to define and limit the circumstances in which an

individuals [PHI] is used or disclosed by [CEs]…”

2 ways use and disclosure can be done: Permitted Uses

To the individual Treatment, Payment, Operations (TPO) 12 public interest and benefit situations Individual agreement/objection of additional uses and disclosures Incidental Uses or disclosures Limited Data set

Authorized Uses

Please visit the website for additional information: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html ***Contact the Privacy Officer with any questions or concerns***

HOW TO COMPLY WITH HIPAA

Definition: A Privacy rule requirement that restricts access to PHI to those who need the information to complete the task it was meant for (1).

Information obtained is limited to the minimum necessary to complete the task.

Be familiar with your specific department’s policies and procedures as well as the organization’s.

MINIMUM NECESSARY

Ensure information: is being released to an authorized person fits the minimum necessary standard to complete the task has a valid date is available to be released

Written authorization Oral authorization Or qualifies under authorized exceptions

request has been documented

Use professional judgment: Make sure the information being requested will not cause: - individual harm - relationship damage between individual and organization

RELEASE OF PHI GUIDELINES

We will now discuss 4 different scenarios:

Identify the problem

Discussion

Implement the solution

PART II: TRAINING SCENARIOS

Situation:You have an electronic health record.  When an error is made in the record, it is the policy of the facility to allow the person who has made the error, to totally delete it from the system

The Problem: This breaks 3 Elements Integrity- record is accurate and complete Authenticity- record is authentic Non-Repudiation- record is undeniable

Brodnik states the goal of the Security Rule is to “...protect ePHI from unauthorized access, alteration, deletion and transmission.” (1)

SCENARIO 1

General rules when dealing with an electronic health record:

Records should never be deleted

When revision is required: The individual making the correction needs to identify the incorrect data flag it provide a link

Refer to Our Organization’s procedures and policies, in the rare instance a deletion would need to be made or contact the Privacy Officer

SCENARIO 1 SOLUTION

Access Control List has been established

Establishment of access controls to categorize which roles have the authorization to delete records.

Parameters have been put in place by categories organized by roles and groups.

Access rights have been implemented to identify the user and certify that the user has the rights to complete the request.

If you do not have sufficient authorization rights for the task at hand please discuss how to proceed with your supervisor or the HIM manager

SCENARIO 1 SOLUTION

Situation:Patients are allowed to amend the health record directly into the electronic health record with no supervision of staff

The Problem: Patient’s have the ability to change their health records affecting:

Integrity

Authenticity

Non-repudiation

SCENARIO 2

In compliance with HIPAA regulations, individuals must have the right to request amendments to their records.

Patient Amendment Process:

Patient must complete an official request Written form Reason for amendment

HIM department will process the request and contact the patient

SCENARIO 2 SOLUTION

Situation:When a visitor is on a nurses station, the screens to the computers are visible and readable by the visitor leaving a patient PHI totally available to the public

The Problem: Adequate measures are not being taken to secure patient records privacy.

SCENARIO 3

Workstation Use and Security Policies have been updated to include the following requirements:

Workstation locations must be in monitored areas Workstation screens need to be adjusted away from public

view Use of applicable screen devices such as protectors to block

peripheral views recommended Auto-time outs have been enabled on all workstations Password re-entry is required Security training and awareness program completion is

required for all employees who use workstations

SCENARIO 3 SOLUTION

Situation:When on the elevator, physicians, nurses, a custodian, and a patient registrar, discussed patients by name, health care problem, and in one case, an ongoing litigation case about a malpractice suit.

The Problem: Breaches have occurred and Organizational and Individual level

Employees have failed to protect the privacy of PHI

The minimum necessary standard has been violated

SCENARIO 4

Employee Awareness Standards

Employees abide by Minimum Necessary Rule and HIPAA Privacy rule

SCENARIO 4 SOLUTION

It is important to note that there are penalties for non compliance

Civil Penalties: range from $100/ violation to $25,000 max per calendar year

Criminal Penalties: range from $50,000 fine and 1 year imprisonment to $250,000 fine and 10 years imprisonment

PENALTIES FOR NONCOMPLIANCE

THINKS TO REMEMBER

Closing thoughts:

We must uphold the responsibility of ensuring patient information (PHI) is protected and that patients know their rights.

We must respect individuals, workforce members and the organization to act respectfully, and in accordance to standards

20

REFERENCES

REFERENCES

1) Brodnik, MS, McCain, MC, Rinehart-Thompson, LA, Reynolds, RB. Fundamentals of Law for Health Informatics and Info Mgmt. Chicago: AHIMA Press, 2008. p. 134, 140, 159, 176, 179, 182, 214-5, 217, 222.

2) Hughes, G. Laws and regulations governing the disclosure of health information (updated). AHIMA 2002 Nov [ cited 2012 May 21]; Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_016464.hcsp?dDocName=bok1_016464

3) The HIPAA privacy rule’s right of access and health information technology. Available from: URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/.../eaccess.pdf

4) The five Ws of HIPAA. Available from: URL: som.ucsd.edu/webfm_send/4665

5) Health and Human Services Website. Available from: URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

6) Wiedemann LA, Hjort B. HIPAA Privacy and Security Training (Updated). AHIMA 2010 Nov [cited 2012 May 20]; [1 screen]. Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509

Fiigure 1: University of Southern Alabama [Online Image] Available at: http://www.southalabama.edu/healthprofessions/

21