HIPAA PRIVACY TRAINING FOR ASSOCIATES
HAYS MEDICAL CENTER
CHRISTY STAHL, CPCCOMPLIANCE MANAGER &
PRIVACY OFFICER
2010
HIPAA
HMC’s Privacy Officer is Christy Stahl. She is responsible for the oversight of HMC’s compliance with the HIPAA privacy regulations. She also investigates any alleged privacy violations.
AssociatesYou will notice the term “Associates” is used throughout this training. “Associates” is a broad term that represents all the following individuals who are associated with HMC:
• Employees• Volunteers• Students• Other trainees• Members of the Board of Directors• Locum Tenens• Contract Staff• Independent Contractors• Other persons whose conduct is under the direct control of HMC
(whether or not they are compensated by HMC for such services)
HIPAA
LESSON ONE
Welcome to the introductory lesson on the HIPAA Privacy and Security Rules
HIPAA
COURSE RATIONALE
In this course, you will learn about:
• Federal regulations concerning patient confidentiality and computer security
• How those regulations impact your job duties/training at HMC
HIPAA
COURSE GOALS
After completing this course, you should
• know the rules regarding the use and disclosure of protected health information
• Understand safeguards to protect patient privacy
• Appreciate the importance of computer security
HIPAA
COURSE OUTLINELesson 1 – this introductory lesson gives you the course
rationale, goals, and outlineLesson 2 – provides an overview of the HIPAA Privacy and
Security RulesLesson 3 – explains the rules regarding use and disclosure of
patient informationLesson 4 – addresses patients’ rights concerning their health
informationLesson 5 – talks about safeguards to protect patient privacyLesson 6 – focuses on HIPAA Security Rule requirements
HIPAA
LESSON 2
Overview of the HIPAA Privacy and Security Rules
HIPAA
Welcome to Lesson 2 for an overview of the HIPAA Privacy and Security Rules
After completing this lesson, you should:
– Understand where the rules came from
– Appreciate why we have these rules
– Know the consequences of violating the rules
HIPAA
• HIPAA stands for the Health InsurancePortability and Accountability Act of 1996
• HIPAA is a federal law that was enacted by Congressand signed by the President in 1996
HIPAA
As part of the HIPAA law, Congress directed the U.S. Department of Health and Human Services (DHHS) to develop regulations that would:嘋 protect patient privacy嘋 protect the security of health information stored
and transmitted electronically
HIPAA
The final HIPAA Privacy Rule became effective in April 2003
The final HIPAA Security Rule became effective in April 2005
These rules regulate the way covered entities handle protected health information
HIPAAThe HIPAA Privacy and Security Rules only apply to covered
entities
We refer to covered entities as CEs
There are three types of CEs:嘋 Health Care Providers (e.g., hospitals, physicians, nursing homes, pharmacies)
嘋 Health Plans (e.g., health insurance companies, employee-sponsored health plans)
嘋 Healthcare Clearinghouses (organizations that process insurance claims)
HMC is a CE, so the hospital, its physician clinics, and Associates must comply with the HIPAA Privacy and Security Rules
HIPAA
The HIPAA Privacy and Security Rules regulate how we safeguard, use, and disclose Protected Health Information or PHI.
PHI includes all individually identifiable health information
PHI is not limited to paper documents. It includes data and oral communications
HIPAA
Health information includes:
- Past, present, or future physical or mental health or condition of an individual
- Provision of health care to an individual; or
- Past, present, or future payment for the provision of health care to an individual.
HIPAA
Health information is individually identifiableif:- identifies an individual
- provides some basis from which someone could identify an individual if they really wanted to
HIPAA
Examples of information that is considered “identifying”:
- name, address, telephone number, fax number, email address
- birth date, admission date, discharge date
- social security number, medical record number, account number
- information about relatives, employers, etc.
- vehicle ID number, URL address
HIPAA
Examples of PHI
All of the following constitute PHI:
- A lab test report that lists only the patient’s medical record number
- A conversation between two nurses about the patient in Room 202
- A message on an answering machine asking John Doe to call his doctor’s office
- A receipt for payment of an office visit co-payment
HIPAA
Consequences of violating the HIPAA Privacy and Security Rules
- Significant government fines and penalties against HMC- Up to $50,000 per violation
- Criminal penalties against the individuals involved in the violation
- Expensive civil lawsuits brought by individuals against HMC and its Associates
- Damage to HMC’s reputation in the community- For licensed individuals (e.g., nurses, therapists), disciplinary
action by their licensing board
HIPAA
• Consequences of violating HMC’s HIPAA policies:
- For HMC employees, disciplinary action by HMC, up to and including termination
- For students, termination of their training at HMC
- For contracted individuals, termination of their contract with HMC
HIPAA
You have completed Lesson 2 on the purpose of the HIPAA Privacy and Security Rules
HIPAA
Remember:• The HIPAA Privacy and Security Rules regulate the way covered
entities safeguard, use, and disclosure protected health information
PHI is any information relating to a person’s health, healthcare, or payment for healthcare services that contains something that could be used to identify the person
• PHI is not limited to paper documents. It includes electronic data and oralcommunications
• The consequences of violating these rules can be severe for HMC and its Associates
HIPAA
Lesson 3
Uses and Disclosures of PHI
HIPAA
Welcome to Lesson 3 on uses and disclosures of PHI
After completing this lesson, you should be able to:
- List uses and disclosures of PHI allowed under the HIPAA Privacy Rule
- Recognize what must be included in written permission for uses and disclosures
- Define “minimum necessary” use or disclosure
HIPAA
Competing Interests
The HIPAA Privacy Rule tries to balance two competing interests:
- No. 1: protect patient privacy
- No. 2: allow the flow of PHI when needed to ensure high quality healthcare and protect public health
HIPAA
A CE cannot use or disclose PHI without the patient’s authorization unless an exception applies
Exceptions are based on the purpose of the use or disclosure, as opposed to the type of PHI involved
Lets look at some of those exceptions
HIPAA
Treatment, Payment, Health Care Operations
Use and disclosure of PHI is permitted without patient authorization if the purpose of use or disclosure is
- treatment
- payment
- health care operations
HIPAA
Treatment
HMC may use and disclose PHI to treat its patients
HMC may disclose PHI to other healthcare providers for them to treat their patients
HIPAA
Payment
HMC may use and disclose PHI to obtain payment for services it provides.
HMC may disclose PHI to another CE as necessary for that CE’s payment purposes
HIPAA
Health Care OperationsHMC may use and disclose PHI for health care operations, which include:
- management functions necessary to support treatment or payment- quality assurance activities- utilization review activities- audits- credentialing
Research activities and marketing do not qualify as health care operations
HMC may disclose PHI to another CE for that CE’s health care operations only if that CE has a pre-existing treatment relationship with the patient
HIPAA
Opportunity to Opt OutHMC may use or disclose PHI in the following ways
without a written authorization if the individual has the opportunity to agree to or prohibit or restrict the use or disclosure:
- HMC may use a patient’s name, location in the facility, religious affiliation, and condition described in general terms to maintain a facility directory. HMC may disclose this information to clergy or, with the exception of religious affiliation, to other persons who ask for the person by name
HIPAA
- HMC may disclose to a patient’s family member, close personal friend, or other person identified by the patient PHI directly relevant to such person’s involvement with the patient’s care or payment for services
- HMC may use or disclose PHI to notify a family member, a personal representative of the individual, or other person responsible for the individual’s care
HIPAAOther Permitted Uses and Disclosures Without
Written AuthorizationThe HIPAA Privacy Rule includes several other
exceptions that permit use and disclosure of PHI without written authorization- as specifically required by law
- for public health activities (e.g., reporting disease or injury)
- to report victims of abuse, neglect, or domestic violence
- for health oversight activities by the government
- in judicial and administrative proceedings
HIPAA
Continued:
- for law enforcement purposes
- to disclose information to coroners, including medical examiners, or for the purpose of cadaveric organ, eye andtissue donations
- to avert a serious threat to health and safety
- to a funeral director as necessary to carry out duties with respect to decedent
- for specialized governmental functions
- for workers compensation claims
HIPAA
Special Rules for Certain Types of Disclosures
Use and disclosure of PHI for the following purpose without an authorization is permitted in limited circumstances- marketing- fundraising- research
HIPAA
Special Rules for Certain Types of PHI
Certain types of PHI are subject to special protections under state and federal law- HIV/AIDS information- records of treatment in a federally-assisted drug and alcohol
treatment program- information relating to patients of community mental health
centers, community service providers, psychiatric hospitals, or state institutions for the mentally retarded
Even if a particular use or disclosure is permitted without an authorization under the HIPAA Privacy Rule, such use or disclosure may be prohibited under these rules
HIPAA
Authorizations
If no exceptions applies, HMC must obtain a written authorization from the patient (or personal representative) before using or disclosing the patient’s PHI
HIPAA
Authorization – Required ElementsTo be effective, a written authorization must include:- Description of PHI to be used or disclosed- Description of the purpose of the use or disclosure- Description of the persons or class of persons that may use PHI or to
who the PHI may be disclosed- Revocation and re-disclosure instructions- Notice that HMC must treat the patient regardless of whether
authorization is given- Expiration date or triggering event- Individual’s signature or personal representative’s signature and
authority
HMC has a standard Authorization Form it uses to release PHI.
HIPAA• Breach Notification
– If a patient’s PHI is breached, HMC must provide specific written notice of such breach to that patient within 60 days of discovery
– Must submit annual reports to the government– Breach = improper use or disclosure + potential for harm to
the individual– HMC must review every improper use or disclosure to
determine if it constitutes a breach– Failure to document such review = HIPAA violation
• Associates must report all improper uses or disclosures of PHI to HMC’s Privacy Officer
HIPAA
Minimum Necessary Rule
Any use or disclosure must be limited to the minimum amount of information necessary to accomplish the specific purpose of the use or disclosure.
HIPAA
The minimum necessary rule does not apply to:
- uses and disclosures for treatment purposes
- uses and disclosures made pursuant to an authorization
- disclosures to the person who is the subject of the information
- disclosures required by law
HIPAA
Associate Access to PHI
An Associate may access or discuss any patient’s PHI only to the extent necessary to perform his/her job duties
An Associate who accesses or discusses any patient’s PHI (including family members) without a legitimate job-related reason for doing so will be subject to discipline up to and including termination
HIPAA
What To Do If You Have Questions
The rules concerning use and disclosure of PHI can be confusing
If you have a question concerning these rules, contact HMC’s Privacy Officer, Christy Stahl
- 785-623-2188 work #- 785-623-1821 cell #- [email protected]
HIPAA
You have completed Lesson 3 on uses and disclosures of PHI
HIPAARemember:- you cannot use or disclose PHI without written authorization unless an
exception applies- uses and disclosures for treatment, payment, and health care operations
are permitted- there are several other exceptions that apply in specific circumstances- a written authorization must contain specific information to be valid- All improper uses or disclosures of PHI must be reported to the
Privacy Officer to determine if breach notification is required- an associate who uses or discloses a patient’s PHI without a job related
reason for doing so will be disciplined- Seek guidance from your supervisor or the Privacy Officer before
disclosing any protected healthcare information to a police officer- if you have questions concerning uses and disclosures of PHI, contact
HMC’s Privacy Officer
HIPAA
Lesson 4
Patients’ Rights Concerning Their PHI
HIPAA
Welcome to Lesson 4 on patients’ rights concerning their PHI
After completing this lesson, you should be able to:
- identify patients’ rights concerning their PHI
- assist a patient who wants to exercise one of those rights
HIPAA
Right to Access PHI
HMC must give a patient access to inspect and copy his or her PHI maintained in a designated record set
A patient wanting access must submit a written request to the Medical Records Department
HIPAA
Right to an AccountingA patient may request accounting of HMC’s uses and
disclosures of the patient’s PHI made within the last 6 years
Such an accounting does not include uses or disclosures for treatment, payment, or health care operations or uses and disclosures authorized by the patient
A patient wanting an accounting must submit a written request to the Privacy Officer
HIPAA
Right to Request AmendmentsA patient can request that PHI be amended if he or
she believes it is not accurate
HMC can deny such request if the information is accurate and complete or not created by HMC
A patient seeking an amendment must submit a written request to the Privacy Officer or to the Medical Records Department
HIPAA
Right to Request Restrictions
A patient may request HMC restrict those uses or disclosures permitted without authorization
Such request must be made in writing to the Privacy Officer or to the Medical Records Department
HMC is not required to agree to such request
HIPAA
Right to Receive Confidential Communications
A patient may request that HMC communicate with him or her by alternative means or at alternative locations (e.g., only contact the patient at a certain telephone number)
HMC must abide by all reasonable requests
If a patient makes such a request to you, make sure such request is communicated to the appropriate people and documented appropriately
HIPAA
You have completed Lesson 4 on patients’ rights concerning their PHI
HIPAA
Remember:
A patient has the right to:- access his/her PHI- obtain an accounting of HMC’s disclosures of his/her PHI- request an amendment to his/her PHI- request restrictions on uses and disclosures permitted
without an authorization- receive confidential communications
HIPAA
Lesson 5
Administrative Requirements
HIPAA
Welcome to Lesson 5 on administrative requirements
When you complete this lesson, you should be able to:
- identify the administrative requirements the HIPAA Privacy Rule imposes on HMC
- understand the importance of following safeguards to prevent improper disclosures of PHI
HIPAA
Notice of Privacy Practices
• HMC must give all of its patients a written Notice of Privacy Practices
• Patients are requested to sign an acknowledgement of receipt
• A copy of the Notice is available on HMC’s website, www.haysmed.com
HIPAA
SafeguardsAll Associates must follow safeguards to prevent
improper uses and disclosures of PHI
As part of your work, you will have conversations with patients, family member, co-workers involving PHI. You must take care to avoid others overhearing those conversations
Never leave documents containing PHI unattended where they could be accessed by unauthorized persons
HIPAA
Safeguards (Cont.)
Never share your computer password with anyone else
Never allow anyone else to use your computer password
If you have reason to believe the security of your password has been compromised, notify the Privacy Officer immediately
HIPAA
Safeguards (Cont.)Always wear name badges to prevent unauthorized
individuals from having access to PHI
Confirm identity of person with whom speaking and follow procedures when leaving messages
Keep all PHI within an HMC facility unless job duties specifically require otherwise (this is the rule, not the exception)
HIPAA
Safeguarding Electronic PHI (e-PHI)
Computer Security Measures:▪ Passwords and access codes ▪ User profiles▪ Audit logs ▪ Encryption▪ Physical location of equipment ▪ Data back-up▪ Firewalls, virus detection▪ Password-protected screensavers▪ Removal and destruction
HIPAA
Other Administrative RequirementsTo comply with the HIPAA Privacy Rule, HMC
must:
- discipline Associates, Vendors, and Agents that violate the HIPAA Privacy Rule
- maintain a complaint/grievance process for complaints about HIPAA Privacy Rule violations
- take action to mitigate any bad effect of inappropriate disclosure or use of PHI to the extent possible
HIPAA
Reporting Concerns
If you believe there has been a violation of the HIPAA Privacy Rule, report that information to the Privacy Officer as soon as possible
HIPAA
Prohibition on Waiver and Retaliation
HMC will not require any person to waive his or her rights under the HIPAA Privacy Rule as a condition of treatment or payment of benefits
HMC strictly prohibits any sort of retaliation, intimidation, or discrimination against persons exercising their rights under the HIPAA Privacy Rule
HIPAA
You have completed Lesson 5 on the HIPAA Privacy Rule’s administrative requirements
HIPAA
Remember:
- you must act to protect patient confidentiality
- you will be disciplined if you do not follow proper safeguards
- you must report suspected violations of the Privacy Rule to HMC’s Privacy Officer
HIPAA
Your responsibilities:• Comply with the HIPAA Privacy Rules• Follow the Confidentiality Agreement• Do not take any PHI out of the facility• Do not access your medical record or the medical record of
your family members on your own – make request at the Medical Records Department (Health Information Management)
• Do not access any medical records unless your job/training requires you to access a patient’s medical record
• Do not have an Associate, Physician, or any other person access a record for you
HIPAA
Your responsibilities:• Do not view patient status boards for other departments• Never text any information about a patient• Do not discuss patients with persons outside HMC• Do not discuss your training experience at HMC on
Facebook, MySpace or Twitter…………….even if you do not mention patient names
• Associates that are students must de-identify all information used, unless your HMC supervisor gives you approval to obtain an authorization from the patient
Top Related