1 / 41

HIPAA

HIPAA is

cree
Download Presentation

HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. HIPAA Keeping Patient Information Private

    2. HIPAA is……. A Federal law called the Health Insurance Portability and Accountability Act of 1996 One part of HIPAA is the Privacy Rule The main purpose of the HIPAA Privacy Rule is to provide better protections for patients’ protected health information (PHI). HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. It was originally enacted as a means to allow employees to maintain their healthcare coverage when changing jobs to go work for another company. The Administrative Simplification piece of the regulations is specific to the requirement that health care providers will soon be able to perform certain specific health care operations, such as submission of claims and receipt of payment using standardized electronic record layouts with one set of national codes for diagnoses and procedures to expedite payment and decrease paperwork. The Privacy and Security regulations are designed to ensure that the patient information being used to perform such electronic healthcare operations is being used appropriately and discriminately, is being used by the right people for the right purpose, and is being protected from unauthorized access by other people who do not have a need to know such information. HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. It was originally enacted as a means to allow employees to maintain their healthcare coverage when changing jobs to go work for another company. The Administrative Simplification piece of the regulations is specific to the requirement that health care providers will soon be able to perform certain specific health care operations, such as submission of claims and receipt of payment using standardized electronic record layouts with one set of national codes for diagnoses and procedures to expedite payment and decrease paperwork. The Privacy and Security regulations are designed to ensure that the patient information being used to perform such electronic healthcare operations is being used appropriately and discriminately, is being used by the right people for the right purpose, and is being protected from unauthorized access by other people who do not have a need to know such information.

    3. PROTECTED HEALTH INFORMATION (PHI) Covers patient information in any form -- written, verbal, or electronic PHI Includes: Any information that can be used to identify the patient, for example, name, address, social security number, medical record number, telephone number, patient account number Anything about the patient’s medical conditions and treatment – past, present, or possible Billing and payment records

    4. Before You Access Patient Information, Ask Yourself Is the patient information I am about to access necessary for me to complete my job? Am I accessing only the minimum necessary to complete my job, no more and no less? Am I accessing, using, or disclosing this information for treatment, payment, or health care operations reasons? If I am accessing, using, or disclosing this information, should I have a signed authorization from the patient? To help you comply with the Triad HIPAA Privacy Policies and the facility’s privacy procedures, try keeping in mind these four key questions each and every time you access patient information. Is the patient information necessary to complete my job duties? If yes, proceed to question number 2. If no, STOP! Am I accessing only the minimum necessary information to complete my job duties? If yes, proceed to question number 3. If no, STOP! Am I accessing, using or disclosing patient information for treatment, payment, or health care operations reasons? If yes, proceed to use or disclose the patient’s information as needed. If no, proceed to question 4. Am I accessing, using, or disclosing this information by having a signed authorization from the patient? If yes, proceed disclosing only the specified information to the specified entity. If no, STOP and check with your supervisor before continuing! If you’re not certain that you should be using or accessing PHI, stop and ask your supervisor. To help you comply with the Triad HIPAA Privacy Policies and the facility’s privacy procedures, try keeping in mind these four key questions each and every time you access patient information. Is the patient information necessary to complete my job duties? If yes, proceed to question number 2. If no, STOP! Am I accessing only the minimum necessary information to complete my job duties? If yes, proceed to question number 3. If no, STOP! Am I accessing, using or disclosing patient information for treatment, payment, or health care operations reasons? If yes, proceed to use or disclose the patient’s information as needed. If no, proceed to question 4. Am I accessing, using, or disclosing this information by having a signed authorization from the patient? If yes, proceed disclosing only the specified information to the specified entity. If no, STOP and check with your supervisor before continuing! If you’re not certain that you should be using or accessing PHI, stop and ask your supervisor.

    5. When is it Okay to Share PHI? Share only the minimum amount of PHI necessary to fulfill the job responsibility Share PHI only with those with a clinical or business need to know Share only the amount of PHI requested. The entire medical record may not be needed. Minimum necessary is a fundamental of the HIPAA Privacy Regulations. Under the HIPAA Privacy Regulations and the Triad Blue Book Privacy Poly 011, only employees with a need to know PHI are allowed to access, use, or disclose PHI and only in minimum amount necessary to perform his or her job function. For example, if an employee is a nurse, then access to the entire medical record may be appropriate. If an employee is a billing clerk, then only access to the patient financial and billing data may be appropriate. If the employee is member of the housekeeping staff, then no access at all may be appropriate. The three golden rules of thumb when applying minimum necessary are: To share PHI in the minimum amount necessary to fulfill the job responsibility. Treatment uses are exempt; however, providers are encouraged to share only the minimum amount of information necessary to treat the patient. For example, a nurse treating patient with a broken leg probably wouldn’t need access to child birth records of 20 years ago. Share PHI only with those who need to know. Perhaps sharing information between nurses on the same unit caring for the same patient may be appropriate. Sharing PHI with another nurse on another floor not caring for the patient, but is a neighbor of the patient, is not appropriate. Share only the amount of PHI requested. For example, if an insurance company requests the results of a patient’s spine MRI to preauthorize surgery. The employee may not include the results of the patient’s workers compensation injury to his or her leg. This is information the insurance company may be interested in, but has not requested. Minimum necessary is a fundamental of the HIPAA Privacy Regulations. Under the HIPAA Privacy Regulations and the Triad Blue Book Privacy Poly 011, only employees with a need to know PHI are allowed to access, use, or disclose PHI and only in minimum amount necessary to perform his or her job function. For example, if an employee is a nurse, then access to the entire medical record may be appropriate. If an employee is a billing clerk, then only access to the patient financial and billing data may be appropriate. If the employee is member of the housekeeping staff, then no access at all may be appropriate. The three golden rules of thumb when applying minimum necessary are: To share PHI in the minimum amount necessary to fulfill the job responsibility. Treatment uses are exempt; however, providers are encouraged to share only the minimum amount of information necessary to treat the patient. For example, a nurse treating patient with a broken leg probably wouldn’t need access to child birth records of 20 years ago. Share PHI only with those who need to know. Perhaps sharing information between nurses on the same unit caring for the same patient may be appropriate. Sharing PHI with another nurse on another floor not caring for the patient, but is a neighbor of the patient, is not appropriate. Share only the amount of PHI requested. For example, if an insurance company requests the results of a patient’s spine MRI to preauthorize surgery. The employee may not include the results of the patient’s workers compensation injury to his or her leg. This is information the insurance company may be interested in, but has not requested.

    6. Examples of Minimum Necessary A billing clerk may need to know what laboratory test was done, but not the result An admissions clerk does not need to have access to the full medical record in order to carry out his/her job A patient transporter typically does not need to access the full medical record to do his/her job

    7. Snooping and Casual Disregard…our Greatest Risk Accessing the medical records of family members, friends, ex-spouses, neighbors, celebrities, etc. Failure to verify the authority of the individual receiving the PHI Improper use of technology such as camera phones, texting, and social networking sites Employees exceeding their scope of job duty As previously stated, snooping continues to be a significant risk factor in our facilities. A wide variety of excuses are often given by staff; including: -It’s my own record [Doesn’t matter, there are defined policies to follow in accessing a Medical Record including one’s own record]. -I’ve worked with that person for years and was really concerned about what was going on with them [Doesn’t matter, HIPAA does not have an ‘I care’ exception] -I just needed an address or phone number so I could let the court know where this person is now. They haven’t paid their child support and I really need the money! [This does not give any employee the right to access another person’s Medical Record] With few exceptions, those who get caught snooping, have been terminated. It’s an unfortunate outcome to an easily preventable incident.As previously stated, snooping continues to be a significant risk factor in our facilities. A wide variety of excuses are often given by staff; including: -It’s my own record [Doesn’t matter, there are defined policies to follow in accessing a Medical Record including one’s own record]. -I’ve worked with that person for years and was really concerned about what was going on with them [Doesn’t matter, HIPAA does not have an ‘I care’ exception] -I just needed an address or phone number so I could let the court know where this person is now. They haven’t paid their child support and I really need the money! [This does not give any employee the right to access another person’s Medical Record] With few exceptions, those who get caught snooping, have been terminated. It’s an unfortunate outcome to an easily preventable incident.

    8. Are You a Criminal? Choosing not to comply with HIPAA could result in civil and criminal penalties, including going to jail If you obtain or disclose PHI without proper authority, you may face a fine of up to $50,000 and up to one year of jail time If you obtain PHI with the intent to sell it, give it to someone else, or for malicious reasons, you could receive a $250,000 fine and up to 10 years in jail

    9. What is the Difference Between Use and Disclosure of PHI? USE is sharing PHI within the facility DISCLOSURE is sharing PHI outside of the facility

    10. What is a Breach Breach means the unauthorized acquisition, access, use, or disclosure of PHI maintained by or on behalf of a person. A breach does not include any unintentional acquisition, access, use or disclosure made in good faith and done within the course and scope of your job. And, provided such information is not further acquired, accessed, used or disclosed. In other words, just looking up someone’s PHI, even if you don’t print it or tell someone else, is a breach – and you will be subject to disciplinary action up to and including termination.

    11. Incidental Uses & Disclosures An incidental use or disclosure is not a violation of HIPAA provided the facility has applied reasonable safeguards and implemented the minimum necessary standard. Examples of incidental uses and disclosures: Discussions during teaching rounds Calling out a patient’s name in the waiting room Sign in sheets in hospitals and clinics containing the minimum information necessary

    12. Protecting Patient Privacy DO: Close curtains and speak softly when discussing treatments in semi-private rooms Log off of the computer when not attended Dispose of patient information in accordance with hospital policy and procedure Clear patient information off of your desk and place in a secure location when not in use Verify fax numbers and addresses before sending PHI

    13. Protecting Patient Privacy DON’T: Discuss a patient in public areas such as elevators, hallways or cafeterias or outside the facility or office Share your computer username, ID, or password Look at information about a patient unless you need it to do your job Take information about patients (including nursing report notes) home Discuss patient information in front of visitors without the explicit, documented authorization of the patient Post any patient related information in church bulletins, Facebook, MySpace, or any other social networking websites Bring friends or family into areas of the facility, clinic, or agency where they can see or hear patients receiving care or where they might have access to PHI

    14. Sharing PHI with Family & Friends The patient must be given the opportunity to agree, restrict, or object to providing PHI to family members, friends or others identified by the patient as involved in the patient’s care or payment for health care Document the patient’s decision Use professional judgment to determine if disclosing PHI would be in the patient’s best interest if the patient is unable to agree or object HIPAA 007 – Use & Disclosure of PHI to Persons Involved in the Patient’s Care, for Notification and Disaster Relief Purposes, deals with sharing PHI with family members, friends or others specified by the patient. Often times visitors will be in the patient’s hospital room or family members join a patient in an exam room when a caregiver is interviewing the patient or providing care instructions. We must offer the patient the opportunity to agree or to object to having the visitor in the room overhear the conversation. HIPAA 007 also requires us to document the patient’s permission, restriction or objection to use and disclose the PHI in the patient’s medical record. If the patient is not able to agree or to object due to an emergency situation, if the patient has become incapacitated, or if the patient is not present (perhaps is undergoing surgery in the O.R.) then the caregiver must use his or her professional judgment in deciding whether to share PHI with a family member, friend or other person. The caregiver may disclose only the PHI relevant to the person’s involvement in the care or payment for health care if she or he thinks it would be in the patient’s best interest. [Note: These types of disclosures do not have to be tracked in an accounting of disclosures.]HIPAA 007 – Use & Disclosure of PHI to Persons Involved in the Patient’s Care, for Notification and Disaster Relief Purposes, deals with sharing PHI with family members, friends or others specified by the patient. Often times visitors will be in the patient’s hospital room or family members join a patient in an exam room when a caregiver is interviewing the patient or providing care instructions. We must offer the patient the opportunity to agree or to object to having the visitor in the room overhear the conversation. HIPAA 007 also requires us to document the patient’s permission, restriction or objection to use and disclose the PHI in the patient’s medical record. If the patient is not able to agree or to object due to an emergency situation, if the patient has become incapacitated, or if the patient is not present (perhaps is undergoing surgery in the O.R.) then the caregiver must use his or her professional judgment in deciding whether to share PHI with a family member, friend or other person. The caregiver may disclose only the PHI relevant to the person’s involvement in the care or payment for health care if she or he thinks it would be in the patient’s best interest. [Note: These types of disclosures do not have to be tracked in an accounting of disclosures.]

    15. Areas of Concern Friends/family/self – when you are seeking information on your family, friends or yourself, you are not acting as an employee and you must access PHI using the procedures required for non-employees. This means you need a written authorization for release of information which can be obtained in HIM You are not permitted to access your own medical records

    16. Areas of Concern Employees as patients – information available to the facility as a healthcare provider is not generally available to it in the role of an employer. For example, if an employee comes into the ED – his/her supervisor or co-workers should not be accessing his/her ED information. This can be a challenging area: call the Facility Privacy Officer if questions arise.

    17. Areas of Concern Before PHI is removed from a facility for business purposes by any means, electronic or hard copy – the following questions must be answered: 1. Does it need to go outside the facility? 2. If so, are reasonable safeguards in place to protect the data from breach during transmission?

    18. Examples of HIPAA Potential Violations Text messaging medical information about a patient to anyone! An employee passing on information to her son about his spouse or their children Allowing a former employee, friends, family or co-workers into off-limits areas where PHI is located – this includes children Taking pictures of patients with a cell phone camera

    19. Examples of HIPAA Potential Violations Releasing information to a caller who is not properly identified as being authorized to receive information Mailing/faxing PHI to the wrong person Looking at the PHI of a co-worker, supervisor, family, friends, or self for non-work reasons Posting information about a patient or specific information about a day at your workplace on a social networking site such as Facebook

    20. No Excuses Good intentions such as “I needed to let his mother know he was in the hospital,” or, “She is my best friend and she wouldn’t mind me looking,” do not count. Just plain nosiness is NO excuse.

    21. Reporting Suspected Violations of our Privacy Policies Suspected HIPAA violations should be reported to: Your Supervisor The Facility Privacy Office The Corporate Compliance and Privacy Officer The Confidential Disclosure Program Hotline may also be used by calling 1-800-495-9510

    22. Non-retaliation CHS POLICY AND STATE AND FEDERAL LAWS PROVIDE PROTECTION FROM RETRIBUTION OR RETALIATION AGAINST ANY PERSON FOR REPORTING ACTUAL OR SUSPECTED VIOLATIONS.

    23. COMPLIANCE IS NOT AN OPTION- COMPLIANCE IS MANDATORY UNDER HIPAA Compliance with HIPAA is part of our culture. Compliance with HIPAA is part of your job responsibilities. Noncompliance may result in disciplinary action up to and including termination. Noncompliance may also result in civil and/or criminal penalties.

    24. This Facility Protects Patient Privacy by… Assigning a Facility Privacy Officer (INSERT NAME & NUMBER) Having written policies and procedures to help employees understand the privacy rules Providing this privacy training to the workforce Putting in place ways to protect health information from being misused Having a way for patients and others to file complaints Providing discipline for employees who don’t follow the privacy practices The facility has an obligation to protect patient privacy. The facility has assigned someone to be the Privacy Officer who will oversee that the Triad HIPAA Privacy Policies and the facility’s privacy practices and procedures are being followed. The Privacy Officer will also be responsible for managing all complaints related to privacy. The facility will be implementing special policies and procedures specific to protecting patient privacy. The facility will be putting in special mechanisms and ways to protect PHI from unauthorized or inappropriate access, use, or disclosure. The facility will have a formal mechanism to investigate, manage, and resolve complaints regarding privacy that may be voiced by employees, patients, and families. The facility will enforce disciplinary action against those employees who do not follow the privacy policies and procedures.The facility has an obligation to protect patient privacy. The facility has assigned someone to be the Privacy Officer who will oversee that the Triad HIPAA Privacy Policies and the facility’s privacy practices and procedures are being followed. The Privacy Officer will also be responsible for managing all complaints related to privacy. The facility will be implementing special policies and procedures specific to protecting patient privacy. The facility will be putting in special mechanisms and ways to protect PHI from unauthorized or inappropriate access, use, or disclosure. The facility will have a formal mechanism to investigate, manage, and resolve complaints regarding privacy that may be voiced by employees, patients, and families. The facility will enforce disciplinary action against those employees who do not follow the privacy policies and procedures.

    25. What is the Notice of Privacy Practices? The Notice of Privacy Practices (sometimes referred to as the NPP) is: An explanation to our patients of how their personal PHI is used and disclosed The start of a dialogue with our patients regarding the purpose of the uses of information An explanation of the patient’s rights as defined by the HIPAA Privacy Regulations The Notice of Privacy Practices is: Available in a paper copy On the facility web site Posted in facility Under the HIPAA Privacy Regulations facilities are required to give patients a copy of the facility’s written Notice of Privacy Practices at the time of registration for admission or for an outpatient service encounter. This Notice, also referred to as the NPP is a document intended to inform the patient how the facility plans to access, use, and disclose a patient’s PHI. This Notice includes a lot of information and is 8 pages in length. The Notice makes the patient aware that the facility, its Medical Staff, and other health care providers affiliated with the facility will be accessing, using, and disclosing some of the patient’s health information for treatment, payment, or health care operations purposes. The Notice also informs the patient of how the patient may authorize to have their health information disclosed to a third party, how the patient may file a complaint if the patient perceives his or her information has been used, or disclosed inappropriately, how the patient can request access or an amendment to his or her records, and how the patient, if denied access or amendment, may file an appeal. In front of each you should be a copy of the Notice to be used by [Facility Name]. Let’s take 5 minutes to quickly review the Notice and become familiar with its contents. Please feel free to refer to the form and its contents as we go along with the presentation. Also, please feel free to ask questions as you review the materials. It is critical to the facility’s overall HIPAA compliance that each employee know and understand the Notice and its contents. The Notice sets the facility’s privacy standards against which we will be graded. The Notice is posted in the facility at the following location(s) ______________________. Under the HIPAA Privacy Regulations facilities are required to give patients a copy of the facility’s written Notice of Privacy Practices at the time of registration for admission or for an outpatient service encounter. This Notice, also referred to as the NPP is a document intended to inform the patient how the facility plans to access, use, and disclose a patient’s PHI. This Notice includes a lot of information and is 8 pages in length. The Notice makes the patient aware that the facility, its Medical Staff, and other health care providers affiliated with the facility will be accessing, using, and disclosing some of the patient’s health information for treatment, payment, or health care operations purposes. The Notice also informs the patient of how the patient may authorize to have their health information disclosed to a third party, how the patient may file a complaint if the patient perceives his or her information has been used, or disclosed inappropriately, how the patient can request access or an amendment to his or her records, and how the patient, if denied access or amendment, may file an appeal. In front of each you should be a copy of the Notice to be used by [Facility Name]. Let’s take 5 minutes to quickly review the Notice and become familiar with its contents. Please feel free to refer to the form and its contents as we go along with the presentation. Also, please feel free to ask questions as you review the materials. It is critical to the facility’s overall HIPAA compliance that each employee know and understand the Notice and its contents. The Notice sets the facility’s privacy standards against which we will be graded. The Notice is posted in the facility at the following location(s) ______________________.

    26. Disclosures with Authorization A valid Authorization is required for certain disclosures to: Attorneys Schools Others Applies to situations where use falls outside of treatment, payment and healthcare operations and for which there is no exception for the authorization requirement Only certain staff members are permitted to accept and act upon patient authorizations Patients have the right to request and authorize their PHI to be disclosed for reasons other the treatment, payment, or health care operations. Some of these reasons may include: Disclosures to a patient’s attorney when for purposes of a malpractice lawsuit, Disclosures to a life insurance company when the individual is seeking to obtain coverage, and Disclosures to an auto insurance company when the individual is seeking to obtain a lower auto insurance rate based their health status. Tip of HIPAA wisdom: As a rule of thumb, if PHI is used for any reason other than treatment, payment, or health care operations, and is not required by state or federal law, then it usually requires permission or authorization from the patient. You should refer to HIPAA Privacy Policy 004 for more details concerning these types of disclosures. Examples of people or departments who can accept and act upon authorizations include ___________________________. [List departments or people here] Patients have the right to request and authorize their PHI to be disclosed for reasons other the treatment, payment, or health care operations. Some of these reasons may include: Disclosures to a patient’s attorney when for purposes of a malpractice lawsuit, Disclosures to a life insurance company when the individual is seeking to obtain coverage, and Disclosures to an auto insurance company when the individual is seeking to obtain a lower auto insurance rate based their health status. Tip of HIPAA wisdom: As a rule of thumb, if PHI is used for any reason other than treatment, payment, or health care operations, and is not required by state or federal law, then it usually requires permission or authorization from the patient. You should refer to HIPAA Privacy Policy 004 for more details concerning these types of disclosures. Examples of people or departments who can accept and act upon authorizations include ___________________________. [List departments or people here]

    27. Disclosures Not Requiring Patient Authorization Required by Federal or state law Workers compensation Birth reporting Child abuse or domestic violence reporting Required for public health reasons Sexually transmitted diseases FDA-regulated products Required for national security reasons Prevent a serious threat of harm to the individual or others If in doubt, check with the Facility Privacy Officer before disclosing the information. There are situations when PHI may be used without patient permission. These exceptions include uses required by Federal or state law, Worker’s Compensation or for use in a Medicare or Medicaid fraud and abuse investigation, among other possible examples. PHI may be used when required for public health reasons including the national HIV data base, the notification of sexually transmitted diseases, and FDA-regulated products related to quality, safety or effectiveness. Other examples include reporting births, deaths and state mandated tumor or cancer registries. PHI may be used when required for national security reasons. For example, a paranoid schizophrenic patient threatens to release anthrax spores in the state capitol to kill the governor because the patient is angry that his or her Medicaid bill has been denied. The facility may release PHI needed by state and Federal law enforcement to find the patient and prevent him or her from acting out this threat. You should refer to HIPAA Privacy Policy 003 for more details concerning these types of disclosures. HIPAA 011 regarding the minimum necessary standard applies to these types of disclosures. We’ll discuss the topic of “minimum necessary” use and disclosure in a few slides. It is important to note that we must make sure that when we disclose PHI for the purposes noted on this slide that we only disclose the amount of PHI necessary required to meet the reporting requirement. We will also discuss the requirement for accounting of disclosures in a few minutes. There are situations when PHI may be used without patient permission. These exceptions include uses required by Federal or state law, Worker’s Compensation or for use in a Medicare or Medicaid fraud and abuse investigation, among other possible examples. PHI may be used when required for public health reasons including the national HIV data base, the notification of sexually transmitted diseases, and FDA-regulated products related to quality, safety or effectiveness. Other examples include reporting births, deaths and state mandated tumor or cancer registries. PHI may be used when required for national security reasons. For example, a paranoid schizophrenic patient threatens to release anthrax spores in the state capitol to kill the governor because the patient is angry that his or her Medicaid bill has been denied. The facility may release PHI needed by state and Federal law enforcement to find the patient and prevent him or her from acting out this threat. You should refer to HIPAA Privacy Policy 003 for more details concerning these types of disclosures. HIPAA 011 regarding the minimum necessary standard applies to these types of disclosures. We’ll discuss the topic of “minimum necessary” use and disclosure in a few slides. It is important to note that we must make sure that when we disclose PHI for the purposes noted on this slide that we only disclose the amount of PHI necessary required to meet the reporting requirement. We will also discuss the requirement for accounting of disclosures in a few minutes.

    28. Facility Directory Disclosures The patient must be given the opportunity to opt-out from the directory Unless the patient objects, the following PHI may be included in the facility directory and given to those individuals who inquire about the patient by name: Name Location within the facility Condition of the patient in general terms (e.g., good, critical, serious) Only members of the clergy may have access to the religious affiliation of the patient, if provided If the patient has opted out of the patient directory no information may be discussed – simply say, “I have no information on that person”. The facility directory may be known as the patient directory. A patient must be given the opportunity to agree or object to being listed in the facility’s patient directory. Unless the patient objects, certain PHI may be included in the facility directory such as name, location within the facility, general condition such as good, stable, fair or poor, and the patient’s religious affiliation. If the patient is listed in the facility directory, this general information may be obtained by anyone who calls or requests to see a patient by name, including the media. However, information relating to religious affiliation may only be provided to members of the Clergy. If the patient objects and requests not to be listed in the directory, this general information about the patient cannot be disclosed. In addition, phone calls can not be transferred to the patient’s room or visitors directed to the patient’s room. Please refer to HIPAA Privacy Policy 006 for further details on this topic.The facility directory may be known as the patient directory. A patient must be given the opportunity to agree or object to being listed in the facility’s patient directory. Unless the patient objects, certain PHI may be included in the facility directory such as name, location within the facility, general condition such as good, stable, fair or poor, and the patient’s religious affiliation. If the patient is listed in the facility directory, this general information may be obtained by anyone who calls or requests to see a patient by name, including the media. However, information relating to religious affiliation may only be provided to members of the Clergy. If the patient objects and requests not to be listed in the directory, this general information about the patient cannot be disclosed. In addition, phone calls can not be transferred to the patient’s room or visitors directed to the patient’s room. Please refer to HIPAA Privacy Policy 006 for further details on this topic.

    29. Patient Rights Under the HIPAA Privacy Regulations, patients have the right to: Receive the Notice of Privacy Practices Inspect and request a copy of their PHI Know to whom their information is being disclosed in certain situations Request restrictions on use and disclosure of their PHI Request an amendment to their PHI Request confidential communications of their PHI

    30. Case Study While working on the fourth floor, Sally Housekeeper noticed that her neighbor Penny Patient was walking down the hall in a hospital gown and pushing an IV pole. When she went home later that day, she told her husband that she saw their neighbor on the cancer unit. Is this a HIPAA Violation? Why? Discussion points to consider: Was this a violation of our Privacy Policies? Why or why not? This was an inappropriate disclosure of PHI. Sally should not have told her husband about seeing Penny as patient in her facility. By saying Penny was on the cancer unit, Sally has also provided her husband with the fact that Penny probably is being treated for cancer – an appropriate disclosure of PHI. Discussion points to consider: Was this a violation of our Privacy Policies? Why or why not? This was an inappropriate disclosure of PHI. Sally should not have told her husband about seeing Penny as patient in her facility. By saying Penny was on the cancer unit, Sally has also provided her husband with the fact that Penny probably is being treated for cancer – an appropriate disclosure of PHI.

    31. Case Study Penny Patient is waiting in the outpatient clinic. Nurse Jones enters the waiting room and calls out, “Penny Patient.” While still in the waiting room, Nurse Jones asks Penny Patient, “Have you been taking your Prozac for your depression?” Is this a HIPAA Violation? Why? Discussion points to consider: Was there a Privacy violation here? If so, what was the Privacy violation? Note for Presenter: Calling out a patient’s name in the waiting room is acceptable and is not a violation of Privacy policy. It is inappropriate to discuss Penny’s drugs and diagnosis in the waiting room.Discussion points to consider: Was there a Privacy violation here? If so, what was the Privacy violation? Note for Presenter: Calling out a patient’s name in the waiting room is acceptable and is not a violation of Privacy policy. It is inappropriate to discuss Penny’s drugs and diagnosis in the waiting room.

    32. Case Study Nurse Jane sees an employee looking through the medical records to find out medical information about another employee who is a patient in the facility, but Nurse Jane is not one of the caregivers for the patient. What should Nurse Jane do? Before we adjourn, let’s take a brief moment to apply what we have learned. [Trainer reads the case study] Some key discussion point to include would be: Nurse Jane should intervene to determine if the individual is authorized to be looking at the information If necessary, Nurse Jane should report the violation to the employee’s supervisor and/or the facility Privacy OfficerBefore we adjourn, let’s take a brief moment to apply what we have learned. [Trainer reads the case study] Some key discussion point to include would be: Nurse Jane should intervene to determine if the individual is authorized to be looking at the information If necessary, Nurse Jane should report the violation to the employee’s supervisor and/or the facility Privacy Officer

    33. How do I begin…..? Become privacy focused Know and follow the HIPAA Privacy Policies and our facility’s privacy procedures Understand the importance of privacy to our organization and our patients – and to keep yourself safe from civil or criminal prosecution Be sensitive to the patient’s privacy needs and rights Keep patient information as private as you would want your own information kept To recap, what each employee needs to do to become compliant with the HIPAA Privacy Policies is to: Become privacy focused Know and follow Triad’s HIPAA Privacy Policies and our facility privacy procedures Understand the importance of safeguarding privacy and be willing to change your behaviors to support it Be sensitive of our patients privacy needs and rights To recap, what each employee needs to do to become compliant with the HIPAA Privacy Policies is to: Become privacy focused Know and follow Triad’s HIPAA Privacy Policies and our facility privacy procedures Understand the importance of safeguarding privacy and be willing to change your behaviors to support it Be sensitive of our patients privacy needs and rights

    34. To recap……… The facility is committed to and serious about patient privacy All complaints regarding patient privacy will be taken seriously The facility will investigate all privacy complaints Employees who violate the HIPAA Privacy Policies or any privacy practices and procedures will be subject to disciplinary actions which could include verbal or written warnings, suspension from duties, or termination Retaliation against any person for reporting actual or suspected violations will not be tolerated Let’s take a moment to review briefly what we have learned today so we can apply it before we end this session. First, Triad is serious about patient privacy and has developed HIPAA Privacy Policies and facility privacy practices and procedures to protect both the patient and the employee. Second, the facility will take all complaints about privacy seriously and will thoroughly investigate them. Investigations of all privacy complaints are necessary to assess, identify, and fix whatever is wrong with the facility processes that may compromise patient privacy. Third, employees who violate the privacy practices, policies, and procedures will be disciplined. In contrast, employees may make honest mistakes and may accidentally be overheard talking about a patient. Those employees should feel comfortable with their work as long as they have applied appropriate safeguards to protect the patient’s PHI.Let’s take a moment to review briefly what we have learned today so we can apply it before we end this session. First, Triad is serious about patient privacy and has developed HIPAA Privacy Policies and facility privacy practices and procedures to protect both the patient and the employee. Second, the facility will take all complaints about privacy seriously and will thoroughly investigate them. Investigations of all privacy complaints are necessary to assess, identify, and fix whatever is wrong with the facility processes that may compromise patient privacy. Third, employees who violate the privacy practices, policies, and procedures will be disciplined. In contrast, employees may make honest mistakes and may accidentally be overheard talking about a patient. Those employees should feel comfortable with their work as long as they have applied appropriate safeguards to protect the patient’s PHI.

    35. What can happen if I violate CHS Policy or break the law? Under recent changes in the law, state and federal authorities may now hold workforce members individually responsible for their actions! Fines ranging from $50,000 per violation to as much as $250,000 Criminal prosecution and up to 10 years in jail may occur depending on the type of violation Civil suits by state Attorneys General against the facility Violation of CHS policy will result in appropriate disciplinary action up to and including termination

    36. Notable Enforcement Action… Fernando Ferrer, Jr. and Isis Machado Machado, an employee at Cleveland Clinic uses her computer access to obtain PHI which was then sold to her cousin – Fernando Ferrer. Ferror used the stolen PHI to submit fraudulent claims in excess of $7 Million. Charged with Computer Fraud Conspiracy to commit identity theft Conspiracy to wrongfully disclose IHHI (HIPAA) Ferrer – 87 months prison, 3 yrs supervised release, restitution $2,505,883.43. Machado – 3 yrs prison, 6 months home confinement, same restitution. HIPAA does carry fines and penalties for violations. Since its inception in 2003 there have been and continue to be, prosecutions that, as you can see, include jail time.HIPAA does carry fines and penalties for violations. Since its inception in 2003 there have been and continue to be, prosecutions that, as you can see, include jail time.

    37. A Case of Identity Theft…NOT! Trumann, Northeast Arkansas: After entering a guilty plea to a criminal HIPAA violation, a nurse faces up to 10 years in prison and a possible fine of $250,000.00! This was not a case of identity theft or stolen financial information… The information was reportedly disclosed to her husband, who threatened to use the information against the patient in an upcoming legal proceeding! This case should give everyone a warm and fuzzy feeling. The PHI disclosed and used in this case earned a nurse a fine and she’s facing prison time. Interestingly, in exchange for the nurse’s guilty plea, charges against the husband were dropped; now that’s devotion! This case should give everyone a warm and fuzzy feeling. The PHI disclosed and used in this case earned a nurse a fine and she’s facing prison time. Interestingly, in exchange for the nurse’s guilty plea, charges against the husband were dropped; now that’s devotion!

    38. “Octomom” Kaiser Permanente Bellflower Medical Center was fined $250,000 for failing to keep workers from peeking at “octomom” Nadya Suleman’s electronic health records 23 unauthorized staff and physicians accessed the records, including some at other Kaiser facilities. 1 person was fired, 14 others resigned and 8 were disciplined

    39. Sentenced to Prison A 22-year old woman was sentenced to a year in prison for illegally accessing another woman’s medical records at her place of employment and then posting on a MySpace page that the other woman had HIV.

    40. FINAL THOUGHTS Confidentiality and protecting PHI is everyone’s job. Privacy Matters. Don’t discuss protected healthcare information in public or with those who do not need to know. Don’t get casual about privacy and confidentiality.

    41. Remember…. It could be your health information that someone is talking about.

    42. Questions? [This can be done in as long or short a time as desired. Presenter should actively request if there are any questions and if not any then they should ask people what they learned.] [Make sure all participants have included their name and other information on the training session sign-in sheet.] [This can be done in as long or short a time as desired. Presenter should actively request if there are any questions and if not any then they should ask people what they learned.] [Make sure all participants have included their name and other information on the training session sign-in sheet.]

More Related