INDIVIDUAL RIGHTS Right to a Notice of Privacy Practices

1. 1 INDIVIDUAL RIGHTSRight to a Notice of Privacy Practices �Providing the Notice to Patients� Education Module for Admissions, Registration and Clinic Staff Effective April 14, 2003 3/21/03

2. 2 Objectives Understand the purpose of 2 new forms: �Notice of Privacy Practices� or NPP (booklet) Acknowledgment Form Understand where patients� requests for privacy rights should be directed Understand how to update PCIS to show when the NPP was provided Know where to forward the new Acknowledgement Form

3. 3 Overview of Notice of Privacy Practices (NPP)Patient�s Privacy Rights Notice of Privacy Practices (NPP) Facility Directory (inpatient) � Opt Outs Confidential communications Request restrictions File a complaint about a privacy violation Access to their health records Amendment to their health records Accounting of disclosures, e.g., public health

4. 4 Purpose of the Notice of Privacy Practice (NPP) To permit patients to become informed about the uses and disclosures of their Protected Health Information (PHI) Describes the permitted and/or required uses and disclosures of PHI by the healthcare provider for Treatment, Payment and healthcare Operations (TPO) HIPAA Tip for Staff: You will see these abbreviations often -- NPP, PHI, TPO HIPAA = Health Insurance Portability & Accountability Act

5. 5 Notice of Privacy Practices (NPP) An individual has a right to adequate written notice of privacy practices describing: Uses and disclosures of Protected Health Information (PHI) that may be made by the Covered Entity Individual�s privacy rights Covered Entity�s legal duties with respect to PHI A �covered entity� is a healthcare provider, a hospital, a health plan, or a healthcare clearinghouse, e.g., UCSD HIPAA Tip for Staff: Read the Notice. Be aware of how patients may exercise their privacy rights and who the contacts are for responding to these rights.

6. 6 Acknowledgment Form�Acknowledgment of Receipt of the NPP� What is required by HIPAA? UCSD, as a covered entity, must make a �good-faith� effort to obtain the patient�s signature of receipt of the Notice or NPP What is your responsibility? Complete the Acknowledgement form, set the PCIS NPP flag to show that the Notice was provided, and route the form to HIMS/Medical Records �with the usual COTA forms When? At the time of first face-to-face service by a �direct care� provider Retention period? Acknowledgement Form must be retained in HIMS/Medical Record for at least 6 years

7. 7 Provision of the Notice or NPPFAQs-1 Who? By Direct treatment providers When? First service delivery after 4/14/03 How often? Once! (or upon request) Emergency condition? Offer NPP when practical after the patient is stabilized Mental Health Admission? There is a separate notice for inpatient mental health admissions. Offer the �NPP-MH� Notice instead. Main difference: Facility directory = No information Languages? English & Spanish in one document Staff Role? Make a �good faith� effort to obtain written acknowledgment of receipt

8. 8 Provision of the Notice or NPPFAQs-2 Who is a direct-care provider? All providers who furnish face-to-face health care, services or supplies, e.g., physicians, associate staff Who is not a direct care provider? Providers who furnish health care on the orders of another provider, e.g., clinical lab services, radiology services What is your role?: Most UCSD Clinics, Emergency Departments, Shiley Eye Center, CAPS, and other outlying care areas will rely on Admissions/Registration and front-desk Clinic staff to: offer the NPP, obtain a signed Acknowledgement form (unless the NPP was provided already), and update the PCIS NPP indicator.

9. 9 PCIS ScreensPatient Care Information Systems (PCIS) for UCSD Healthcare Where will the new NPP privacy notice indicator be located? What do I need to enter?

10. 10 PCIS Screens for NPP You will be able to update PCIS by entering a �Y� next to the NPP label and the date of Notice delivery The PCIS screens are� Registration Screen Scheduling Screen Important: Please be sure to update PCIS at the time of NPP delivery. To avoid duplicating efforts by other providers and clinics, please do not wait until later in the week. Timeliness is important!

11. 11 Sample PCIS screen with the NPP flagRegistration Screen

12. 12 Sample PCIS screen with the NPP flagScheduling Screen

13. 13 Provision of the NoticeFAQs-3 Who signs the Acknowledgment Form for� Minors ? Parent or Legal Guardian Some minors will be able to sign the Acknowledgment form if treatment is for �sensitive services� Incapacitated adult ? Legal Guardian Teens / group homes ? Teen can sign if the guardian / transport agent will not Newborns (if Mom has already signed)? Can assume the newborn (and all other children in home) received the Notice Inmates ? Not required to receive NPP Left before signing? Staff will complete the check-box for this event and sign/date.

14. 14 Impact of the NoticeWhat to expect Of the 8 patient privacy rights, these three rights are most likely to impact you: Facility Directory - expect requests for opt outs, explain what this means to inpatients Request for Confidential Communications � if it is reasonable, exercise professional judgment Request for Restrictions � caution, Privacy Officer approval required Read on�

15. 15 Facility Directory (Inpatients)Requests to �Opt Out� Upon request for a specific patient (by name), you may release the inpatient location and only a general condition statement�unless the patient is a �No Disclosure� patient Use the existing PCIS privacy indicator field to document when a patient requests privacy and does not wish to be listed in the inpatient directory Privacy indicators that patients may request: C = No phone calls V = No visitors / no clergy / no flowers N = No information*, notify security Be aware: No Information = �I have no information on this patient.� All mental health admissions and all jail holds are automatically �No Information� If a Clergy member asks for a list of patients of a religious denomination, the list must exclude any �no disclosure� patient Nothing new here!

16. 16

17. 17 Patient Right:Confidential Communications A covered health care provider must permit and accommodate reasonable requests to receive communications of PHI by alternative means and at alternative locations Examples of reasonable requests: Home address vs. mailing address; Billing vs. Guarantor P.O. Box; alternate cell phone # Staff Role: If the request is reasonable, you may accept. If you agree to the request, you must update the appropriate PCIS demographic screens, so that other departments will be aware of the change. Note: If you cannot document the request in a PCIS field, then the request may not be reasonable and should not be accepted without approval.

18. 18 Patient Right:Request for RestrictionsProtected Health Information (PHI) for Treatment, Payment & Healthcare Operations (HCO) A Covered Entity must permit an individual to request restrictions on uses and disclosures of PHI to carry out TPO and to persons involved in the individual�s care. BUT a Covered Entity is not required to agree to such requests (no review or appeal is required) If it agrees, Covered Entity may not violate the restriction except in emergency. Staff Role: Refer requests for restrictions to the Risk Manager or the Privacy Officer for approval. No exceptions!

19. 19 Patient Right: Request for Restrictions�Scripting Your Response� It is the policy of UCSD Healthcare to safeguard the confidentiality and security of information, including patient protected health information (PHI). To avoid disrupting patient care, written requests for restrictions will only be authorized in response to a concern for patient safety, celebrity status, or social stigma. The UCSD Healthcare Risk Manager or the Privacy Officer must review all requested restrictions not authorized by policy or of a questionable nature. Restrictions are difficult to manage and may restrict patient care. The Notice of Privacy Practices has the address for where written requests may be directed.

20. 20 Summary: 4 Easy Steps Provide the Notice Obtain signed Acknowledgement Update PCIS NPP Route forms Starting April 14th, offer the Notice to all patients who have not already received the NPP PCIS and clinic schedules will have indicators to show who needs the NPP Obtain the patient�s signature on the Acknowledgement form Set the PCIS �NPP-Notice� flag promptly Route the signed Acknowledgement form with the usual COTA forms to Medical Records (mail code: 8825)

21. 21 References for HIPAA UCSD HIPAA Internet web site for other HIPAA education modules: http://health.ucsd.edu/compliance/hipaa.shtml Intra-net for Clinical Enterprise Policies (CEPs) New policies & forms (Available in April-03) Questions? Call the UCSDHC HIPAA Privacy Office Help Line: 619-543-3344 (message line, weekdays)

22. 22 Training CertificateCongratulations You have now completed the �Providing the Notice to Patients� HIPAA education module. Disclaimer: This module is intended to provide educational information and is not legal advice. If you have questions regarding the privacy / security laws and implementation procedures at your facility, please contact your supervisor or the healthcare privacy officer at your facility for more information.