210 likes | 428 Views
HIPAA Privacy & Information Security. Overview. What is HIPAA and why should I care? HIPAA is the Health Insurance Portability and Accountability Act of 1996. This presentation will focus on those sections of the law related to Privacy and Information Security as it applies to Alegent Health.
E N D
Overview • What is HIPAA and why should I care? • HIPAA is the Health Insurance Portability and Accountability Act of 1996. This presentation will focus on those sections of the law related to Privacy and Information Security as it applies to Alegent Health. • HIPAA: • Provides patients with more control over their health information • Sets boundaries on the use and disclosure of medical records • Establishes safeguards for the protection of PHI • Holds violators accountable with civil and criminal penalties
Overview • The consequences for non-compliance can be serious, including termination of contracts with our vendors, restriction of access for physicians offices and performance improvement for our workforce, including termination and criminal charges. The financial and personal consequences for violators are also serious including fines up to $250,000.00 and up to 10 years imprisonment. Several individuals have already been prosecuted for breach of medical privacy. • Lastly, the practice of healthcare is founded on our patients’ trust in us, including safeguarding private information and sharing only what is necessary with those who have a need to know. Patient trust encourages the free flow of information between patient and provider – without it, patient care will suffer.
PHI – What is it? • HIPAA Privacy rules protect individually identifiable protected health information (PHI) from inappropriate use, request or disclosure. PHI includes: • And any other information that can be tied to a patient’s past, present or future health status and is created or maintained by Alegent Health.
Summary of the Regulations • You must not use, request or disclose PHI except as permitted or required by these regulations • You must make reasonable efforts to limit the use, request or disclosure of PHI to the minimum necessary • You must not use or disclose PHI for marketing/fundraising purposes without specific authorization • You must obtain satisfactory assurance that business associates will safeguard PHI • You must recognize that de-identified data is not covered by HIPAA • You must recognize and protect the 5 qualified privacy specific patient rights under this rule • You must designate a Privacy Officer to ensure compliance with HIPAA guidelines, train the workforce and provide a mechanism to address concerns.
What does HIPAA allow? • We may NOT use, request or disclose PHI unless HIPAA allows it – which is in varying degrees for: • Treatment purposes • PHI can be shared freely with other covered entities • Payment activities (including collections) • Minimum Necessary • Bona fide healthcare operations (Performance Improvement activities, etc.) • Minimum Necessary • As required by law (gunshot wounds, STDs) • Minimum Necessary • OR if the patient “says” to do so!
Patient Rights under HIPAA • Under HIPAA, patients have 5 qualified rights: • The right to notice about how their PHI will be used and disclosed • The Notice of Privacy Practices given to each patient • The right to have access to their PHI • Usually a request to the Medical Records dept to get a copy for themselves or another provider • The right to request that access be restricted • As with No Info patients • The right to know who has accessed their PHI • A request for an Accounting of Disclosures via Medical Records • The right to request amendment to their PHI • Also managed through the Medical Records department
Communicating patient information • “General” patient information • Unless a patient instructs us otherwise, if someone asks about them by name, we can disclose: • That the patient is in the facility • The patient’s location (room #) • Their condition in general terms (undetermined, good, fair, serious, critical) • This information can only be disclosed in response to a request – we cannot offer it to anyone without them asking us for it. • If patients do NOT want “general information” available, they can notify Registration or their caregivers at any time and become a “No Info” patient
Communicating patient information • Releasing more detailed information to those involved in the patient’s care or payment (lab results, insurance info, treatment plan, prognosis)… • Disclosures of this nature should be directed by the patient whenever possible. As long as an adult patient is awake and competent, it is best to simply ask them for permission to discuss/disclose the information, and document the permission. • We are also allowed to use professional judgment to determine whether it is appropriate, based on the person’s involvement in the patient’s current care or payment • If the patient objects at any time, discontinue
Shhhh! • Privacy regulations include oral communication as well as paper and electronic. • Be aware of your surroundings. • Avoid conversations about protected health information where others may overhear. • Take reasonable steps to avoid being overheard whether you are talking face-to-face or on the telephone. If there is an office or private area available, use it. Offices, clinics and hospital rooms are NOT soundproof and being a patient or visiting family member does not in itself negatively impact hearing • REMEMBER - It’s a small world. Discussion at restaurants, bars and ballgames have found their way back to our patients.
The basics… • Do NOT • Access, use, request, review or discloseprotected health information in any formwhether paper, electronic or verbalunless you need to do so to do your job. • Then access, use, request, review or disclose only the minimum necessary to achieve your legitimate purpose.
+ L = Flag Out Safeguarding PHI • If you are given electronic access to patient information, you are subject to the following rules to safeguard PHI; • Use only your own login and password, and never let anyone else use them. Protect them as you would if they accessed your bank account! • Never sign into an application on a computer where someone else is logged in. This will cause your logins to be linked and could lead to inappropriate access on their part being attributed to you. • Log off or “flag out” when you walk away from the computer. Flagging out (by holding down the Windows flag and clicking on the letter “L”) will pop up the login screen. You need only enter your password to be back where you were.
Safeguarding PHI • Do not put PHI onto unencrypted devices! • Amazing the number of time PHI has been lost or stolen in the last few years – it’s in the news all the time. Laptops are stolen out of cars, thumb drives and backup tapes lost. Maintaining or moving PHI while it is encrypted and password protected will also protect you if something unfortunate happens! • Do not email PHI unless it is encrypted! • Protect records by keeping them in secure locations. Do not leave them unattended where passers-by can look at them!
Auditing • One of the requirements of HIPAA is that we monitor employee activity within our system • The rule requires that we “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” • At Alegent Health, everyone who accesses our clinical and billing software & systems should be aware that we do audit and review activity. The primary systems will show: • Whose record you accessed • What was done, including simple review of patient info, edits, updates, printing, screen changes, which screens were viewed, etc. • The date and time of each activity
Consequences • Remember that an audit showing that you inappropriately accessed records that you did not need to access – including your own records, or those of friends or family - will be addressed. • Inappropriate access may lead to a suspension or termination of access to the system – and may lead to criminal or civil charges as well. • Before you access – be sure it’s worth it!
Quick Quiz • Joe heard that his grandmother was in the hospital. He called the hospital to find out her condition. Can her condition be disclosed? • Yes. As long as Mrs. Jones hasn’t decided to be a No Info patient, we can disclose the room number and condition in general terms such as good, fair, serious or critical.
Quick Quiz • A person calls you, identifying themselves as the spouse of a patient. Can we provide detailed patient information based only on the fact that they are married? • No. Even if we are able to verify the callers identity as the spouse, a person is not entitled to a spouse’s PHI based on marriage alone. (As with any other caller, they can get Facility Directory info - if the patient isn’t No Info). • If the patient has not communicated a desire to have their spouse informed – either verbally or in written form - you would need to determine if the spouse is involved in the patient’s care or payment for that care, and to what extent prior to any disclosure.
Quick Quiz • Is it ok to discuss patient information in public areas as long as you do not use the patient’s name? • No. Even without saying the name, others may be able to determine who you are discussing – or think they know. This is not an appropriate way to find out about a loved one’s prognosis. • Even in an appropriate area, maintain professionalism. We have had investigated several complaints stemming from patients overhearing their caregivers making derisive comments about them.
Quick Quiz • Is looking up patient information out of concern or curiosity ok, as long as you don’t disclose what you see to others? • No. Access patient information only when you have a legitimate, work related need to know. • Similarly, it is not appropriate to “just check” whether someone is or has been a patient because of something you’ve heard in the media.
Quick Quiz • You are at work and see a friend as you walk down the hall. You stop and say hello. They tell you that they are in for tests and you wish them well and go on your way. When you get home, can you tell anyone about your friend’s tests? • No. Any information that you gain while you are working as a member of Alegent Health’s workforce or while visiting one of our sites must be treated confidentially. • Consider your friend’s situation – they may not have expected to see you and (short of hiding behind a plant) could not avoid speaking to you. • In this type of situation, avoid direct questions about their reason for being there and if your friend does give you details, ask if it ok to share with others before doing so. Then be sure to say you have permission when you share!
Certificate of Completion • Thank you for completing Alegent Health’s • HIPAA Privacy & Information Security Training online. • Name Date • Please print this page for documentation purposes.