HIPAA Office of Experiential Education Health Insurance Portability and Accountability Act.

35
HIPAA Office of Experiential Education Health Insurance Portability and Accountability Act

Transcript of HIPAA Office of Experiential Education Health Insurance Portability and Accountability Act.

HIPAA

Office of Experiential Education

Health Insurance Portability and Accountability Act

What is HIPAA?

Health Insurance Portability and Accountability Act

Enacted on April 14, 2003 A Federal Law written to:

Enhance data exchange: more effective and efficient for administrative and financial transactions

Improve healthcare information security and privacy

HIPAA Principles

1. Protect the privacy of protected patient information

2. Use and disclose the minimum necessary amount of protected information

3. Establish the rights of patients to approve who has access and use of their medical information.

Health Information Disclosure

Covered entities have specific obligations toward protected health information (PHI) which includes information transmitted or maintained in any medium, including ORAL COMMUNICATIONS

Providers and plans may NOT use or disclose an individual’s health information except for: Treatment Payment Regular health care operations

Any additional disclosures requires a signed authorization from the patient

What is Protected Health Information (PHI)?

Information resulting from demographic information being paired with physical or mental health or health insurance/prescription information.

Protected Health Information

Health information in any form is considered Protected health information (PHI) if it is:

(1) created or received by a covered entity (2) relates to a patient’s past, present or future

physical or mental health condition (3) identifies the individual or creates a basis to

believe that the information can be used to identify the individual.

Specific PHI Elements(This information must be de-identified or removed from patient information unless it is being used in the treatment of the patient.)

Name All geographic info

City, County, State, Precinct, Zip Codes, Street Address

Elements of Dates Birth Dates, Admission, Discharge, Date of Death, and Ages

>89 years old

Telephone/Fax numbers Email address Social Security# Medical Record # Health Plan # Account # Certificate/license # Vehicle/serial # License plate # Device/serial# URL’s IP Address Biometric Identifiers:

Finger/voice prints Full face photo

Protected Health Information

Records kept in a pharmacy that would meet the definition of PHI Prescription records Billing records Patient profiles Insurance Cards May include certain phone calls from patients Verbal patient counseling

Where would a pharmacy student find PHI? Medical or Clinical Charts Medication Administration Records (MAR) Billing Records Rounding Lists Electronic Databases Rounding Conversation Faxes Emails

Use and Disclosure Rule

Must take reasonable efforts to use and disclose only the “Minimum Necessary” amount of PHI appropriate to the situation. Limit disclosure for payment and operations

Understand WHY the information is necessary Question if information seems unnecessary

Casual conversation Don’t discuss patients with health care professionals not

directly involved in their care Providers should limit access to patient information on

a need to know basis. Remember, do not use HIPAA as an excuse not to

report adverse drug events.

For pharmacy student, what is the “Minimum Necessary”?

Access ONLY the PHI you need to provide medication therapy management. This would include: Patient name, date of birth, height, weight,

past medical history, physical exam, lab values, diagnoses, tests performed and the results, and the medications.

Can PHI be disclosed without authorization? Yes.

Public health activities Law enforcement, judicial proceedings Reports of abuse or neglect Health oversight activities Coroners, funeral directors Organ and tissue donation Certain research activities Threat to public safety Military functions Inmates Worker’s compensation Sale, transfer, merger or consolidation of all or part of

covered entity

What should be done when an employee makes an unauthorized disclosure of PHI?

Sanction the employee Attempt to contain the damage caused by the

disclosure Document the event

Description of what was disclosed Statement of the reason the PHI is disclosed Date The name and address (if known) of the person or entity that

you disclosed to

Must also make an accounting of the events to the affected patient(s)

Stiff penalties including fines and prison terms associated with noncompliance.

Recent Case – July 2013

Woman awarded $1.44 million after finding Walgreens and pharmacist violated privacy.

Pharmacist violated privacy by looking up and sharing prescription history.

Pharmacist admitted she was aware of strict privacy policy and knew she was violating it.

Walgreens contends this is a misapplication of the law to hold an employer liable for the actions of one employee. They intend to appeal.

Walgreens must pay woman $1.44 million over HIPAA violation, Jul. 26, 2013, written by Tim Evans, indystar.com.

What do I do if I need to speak to a patient in an institutional setting?

Create a space that is private. Speak in the patient’s room Pull the curtain closed if it is a shared room If family members are in the room, explain to

the patient that you will be discussing private information about their health and ask if they would like their family members to listen also. If not, if it is an appropriate time to speak to the patient, ask the family members to step out of the room for a moment while you speak to the patient.

As a student, can you keep written records about your patients?

Yes, BUT you must safeguard this information. Don’t use your phone to take a picture of information

in the patient’s chart Don’t photocopy information from the patient’s chart Don’t access information for patients you aren’t

directly following even if they are relatives and/or friends.

As a student, can you keep written records about your patients? Do not leave any written materials, PDA’s or

lap-tops with patient information on tables or in lab coats that you are not wearing.

Always put paper with patient information in locked containers to be shredded.

Remember to keep PDA’s and lap-tops password protected when they contain patient information and to delete information that is not needed.

Helpful TIPS

Keep conversations about patients as private as possible.

Use discretion when calling out names in waiting rooms or pharmacies.

Keep patient lists and schedules out of public view.

When discussing cases with fellow students, strip identifiers from the case.

Helpful TIPS

Never leave the patient’s medical record unattended or open.

Respect patient’s privacy when requesting medical information over the phone. Do not repeat names, numbers, etc. so that these can be overheard.

Verify the identity of the individual requesting patient information.

Helpful TIPS

Use passwords on computers that only you know. Do not share passwords. Log off any computer if you get up and leave. Protect the security of lap-tops, PDA’s with password

protections. Remove/destroy PHI when it is no longer needed.

Rights of Individuals to PHI

Patients have the right to access their health information.

Requests for information must be honored within 30 days.

Patients can “amend” their health record. Requests must be acted on within 60 days. You may deny a request if it is not appropriate.

Patients have the right to request that health care providers restrict disclosure of information to health plans in situations in which a patient has paid for an item or service in full.

Privacy Official

To ensure that any covered entity (including pharmacies) is committed to developing and implementing the HIPAA guidelines, an individual must be named as a “privacy official”.

This individual is responsible for developing and implementing HIPAA-related policies and procedures

Security Rule

Requires entities to: Protect ePHI against unauthorized access and

improper alteration or destruction Protect against threats or hazards to the security

integrity of ePHI Protect against unauthorized uses or disclosure of

ePHI Make ePHI readily available to authorized

personnel when needed Institute security measures that must be followed

by all members of the workforce including students, management, and vendors or contractors

Security Rule

Applies only to electronic protected health information

Computer systems should be up to date, but it is your responsibility to ensure the safety of the ePHI

Conclusions

May use protected health information when speaking with other health care professionals involved in the treatment of the patient.

Use common sense when dealing with health care information.

Questions about the use of PHI should be directed to your supervisor.

Common Questions

Q. Can I allow customers to see the signature of others (such as in a log documenting an offer to counsel)?

Common Questions

Q. Can I call a customer to the pharmacy over a loud speaker?

Common Questions

Q. Do I have to remodel the pharmacy to provide a private counseling area?

Common Questions

Q. If a pharmacist calls a patient’s home to talk to them about an issue and the patient is not home, can a message be left with another person?

Common Questions

Q. Does a pharmacy have to comply with a patient’s request to further restrict uses and disclosures for treatment, payment or operations?

Common Questions

Q. Can a pharmacy specify in its Notice of Privacy Practices that a spouse provide a signature of acknowledgement on their own behalf and on behalf of their spouse and minor children?

Common Questions

Q. Can PHI be faxed to another practitioner?

Common Questions

Q. Can a patient have a family member or a friend pick up a prescription?

Common Questions

Q. Can a pharmacist disclose information about a patient to another individual who is picking up that prescription?

References “HIPAA and Its Impact on Pharmacy Practice”, written by Robert P. Giacalone,R.Ph., J.D. and Gary G.

Cacciatore, PharmD., and J.D. Continuing Education: September, 2002, p.14-22. Health Insurance Portability and Accountability Act, Pharmacy Student Training Module, University of

Kansas School of Pharmacy HIPAA: How to Reduce Your Risk, written by Michele A. Faulkner, Pharmacy Practice Update, Creighton

SPAHP, October 2, 2003 Pharmacists and HIPAA, Editorial, AmJHealth-Syst Pharm Vol 60 Mar 1, 2003 HIPAA: Understanding the Security Requirements, written by Alan R. Spies, R.Ph., J.D., Ph.D. Cand.

and Virgil Van Dusen, R.Ph., J.D., U.S. Pharmacist, 7/15/03, Vol 28, No. 7. HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No.

301. HIPAA & Privacy: A Refresher for 2013, Pharmacist’s Letter, Online Training Course. HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No.

303. Overview of Modifications to the HIPAA Privacy, Security and Enforcement Rules. Compliance Date:

September 23, 2013, National Community Pharmacists Association.