1.1k likes | 1.39k Views
HIPAA Privacy-Security Training. Welcome! This HIPAA course consists of several sections: An Introduction to HIPAA Patient Rights Routine Use of Patient Information Disclosure of Patient Information – Actively Involved Business Associate – Extensive Basic Security Requirements Research
E N D
Welcome! This HIPAA course consists of several sections: • An Introduction to HIPAA • Patient Rights • Routine Use of Patient Information • Disclosure of Patient Information – Actively Involved • Business Associate – Extensive • Basic Security Requirements • Research • Conclusion
An Introduction to HIPAA The Mayo Clinic Integrity and Compliance Program was created to reinforce the commitment to conducting our business with integrity. When people behave with integrity, they act honestly, sincerely, ethically, morally and legally. Our Integrity and Compliance Program applies to everyone: Mayo trustees, officers, all staff whowork at Mayo entities, and people who do business with Mayo.
An Introduction to HIPAA Mayo’s Code of Conduct is part of the Integrity Program. The Code of Conduct is a formal statement of our rules of ethical business conduct. It covers nine areas: • Ethics • Confidential information and trade secrets • Conflict of interest and outside activities • Use of Mayo funds and assets • Dealing with suppliers and referring providers • Books and records • Political activity and contributions • Safety, health and environment • Employee relations Detailed descriptions of each topic can be found in the Mayo Integrity and Compliance Program Handbook (MC2570) or the Integrity and Compliance Program web site located at: http://mayoweb.mayo.edu/compliance-integrity/
An Introduction to HIPAA Our patients trust us and believe that we will keep their information private. Confidentiality breaches are very serious matters. Staff who knowingly violate our policies on confidentiality will be dealt with appropriately. The Compliance Office oversees the Integrity and Compliance Program and, in relation to that, operates a confidential, toll-free Compliance Information line, 1-888-721-5391, and a confidential online compliance reporting web site at: http://www.mycompliancereport.com (use required access code “MAYO”). The Compliance Office is available to answer any of your questions about compliance-related issues, the Code of Conduct, and HIPAA.
An Introduction to HIPAA What is HIPAA? The Health Insurance Portability and Accountability Act, also known as HIPAA, is a federal law intended to make the business part of healthcare more efficient by setting standards for submission of electronic bills, for electronic payments, and for checking referrals and authorizations electronically. The HIPAA transaction standards will save the healthcare industry – and us – a lot of money over the long term.
An Introduction to HIPAA When the healthcare industry begins to use these electronic transactions, a great deal of patient information will be exchanged among the industry’s computer systems. The Department of Health and Human Services has issued HIPAA privacy standards and security standards to provide for the protection of patient information from inappropriate use or disclosure. HIPAA does not limit a healthcare provider from using a patient’s information to provide appropriate treatment to the patient, sending patient information to insurance companies for reimbursement, or using patient information for quality control or operational improvement.
An Introduction to HIPAA While HIPAA will not require major process changes in our medical practice, it will require the cooperation and support of everyone in order to achieve and maintain compliance. To help with HIPAA compliance, we have developed some new policies and procedures, and we have changed some existing policies and procedures. This educational program highlights what each of you needs to do to protect the confidentiality of our patients’ information so that we maintain HIPAA compliance. We have a long-standing practice of protecting patients’ privacy and maintaining the confidentiality of their information. We can continue to maintain that practice only with your help! Who does HIPAA apply to? HIPAA regulations apply to all Mayo covered entities
An Introduction to HIPAA What does HIPAA require us to do? HIPAA requires us to: • Inform patients that they have certain rights, such as the right to obtain copies of their health information and the right to request amendments (Notice of Privacy Practices: http://mayoweb.mayo.edu/man-ipm/pr-noticeprivacy.html) • Inform patients how their health information may be used and disclosed (Notice of Privacy Practices: http://mayoweb.mayo.edu/man-ipm/pr-noticeprivacy.html ) • Verify that those to whom we give patients’ health information, our business associates, also maintain its confidentiality
An Introduction to HIPAA What does HIPAA require us to do? (Continued) Meet certain administrative requirements, such as appointing a Privacy Officer at each site and documenting how we interact with patients about their rights Ensure that only authorized people have access to patients’ information This educational program is designed to provide you the information you need to do your job.
An Introduction to HIPAA What type of information is protected by HIPAA? Patients’ health information and demographic information, defined as “protected health information,” is protected by HIPAA. This protected information includes identifying information about the patient, such as: • Name • Addresses • Dates related to the patient, like birth date and dates of services • Telephone numbers, fax numbers, and e-mail addresses • Social Security Number • Medical Record Number • Any other account numbers or numbers that are specific to the patient • Pictures of the patient
An Introduction to HIPAA What Does This Mean For Your Job? HIPAA means that all of our patient information needs to be protected. Are there any exceptions? Yes. HIPAA treats patient information differently if it will be used for research, public health activities, or certain internal operations. State laws may require us to follow additional guidelines. For example, Minnesota state law requires patient authorization for billing prior to sending information to an insurance company.
An Introduction to HIPAA Is non-electronic information protected by HIPAA? Yes. All patient information and demographic information is protected, whether it is on a computer, in a paper record, or verbal.
An Introduction to HIPAA Who is protected by HIPAA?ALL of our patients are protected by HIPAA! Questions? Contact your Privacy Officer http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html
Congratulations You have completed the section on “An Introduction to HIPAA” This HIPAA course consists of several sections: • An Introduction to HIPAA • Patient Rights • Routine Use of Patient Information • Disclosure of Patient Information – Actively Involved • Business Associate – Extensive • Basic Security Requirements • Research • Conclusion
Patient Rights HIPAA has mandated certain rights for patients concerning their health information. Most of these patient rights were already part of our policies and practices; the remainder required development of new policies. In this part of the program, we review patients’ rights as related to their health information. You need to know and understand the following six rights.
Patients have the right to see and obtain copies of their health information Patient Rights Patients have the right to obtain copies of their medical record. Most patients can see their entire medical record; however, there are a few exceptions Exceptions are explained in your privacy policies located at: http://mayoweb.mayo.edu/compliance-integrity/policies.html If a patient requests a copy of their medical record, refer to your policy.
Patients have the right to request amendments to the information in their medical record Patient Rights Patients have the right to request amendments to their medical record. These requests occur when the patient believes that their record is incomplete or inaccurate. The process and circumstances by which they are reviewed are explained in your policy. If patients request amendments to their medical records, follow the guidelines in your policy. Policies are located on Web at: http://mayoweb.mayo.edu/compliance-integrity/policies.html
Patient Rights Patients have the right to know about certain non-routine disclosures of their health information Patients have a right to request a list of certain non-routine disclosures of their health information. For example, release of health information to the State Health Department or release of patient information under a subpoena must be documented and included in a list that is provided to the patient upon request. If the information is released for patient treatment, payment for services, or healthcare operations, documenting and reporting of disclosures is not required. In addition, disclosures that have been specifically authorized by the patient need not be documented or reported. State law may require us to follow additional guidelines. For example, Wisconsin state law requires accounting for all disclosures of health information, with no exceptions. If a patient requests a list of disclosures, refer to your policy for guidance. Policy located at: http://mayoweb.mayo.edu/compliance-integrity/policies.html
Patient Rights Patients have the right to request that their health information be communicated in a certain way As you are aware, patients have the right to discuss their health information confidentiality. For example, if a patient is uncomfortable speaking with you in a crowded area, move to a more isolated spot where confidentiality is easier to maintain. Patients have the right to request that their health information be communicated in a certain way. Patients may request to have written communications sent to an address that is different from their “regular” address, as found in their medical record. For example, a patient may not want certain laboratory test results sent to their home address. In general, the department communicating with the patient is responsible for handling the patient’s request for confidential communications and should respond to the patient request. However, refer to your policy for further guidance. Policy located at: http://mayoweb.mayo.edu/compliance-integrity/policies.html
Patients have the right to request restrictions on how their health information is used or disclosed Patient Rights We may use a patient’s information for their treatment, payment for services, and to conduct healthcare operations. It is important that patients receive consistent responses to their requests for restrictions. If a patient requests a restriction, refer to your policy for guidance. Your policy located at: http://mayoweb.mayo.edu/compliance-integrity/policies.html
Patient Rights Patients have the right to complain to us and to the government about our privacy practices or about a violation of those privacy practices We do our best to ensure that our patients’ information is kept private. However, mistakes sometimes happen. If patients feel that their privacy has been violated, they have the right to complain. If a patient wishes to file a complaint, follow the guidelines in your policy. Your policy located at: http://mayoweb.mayo.edu/compliance-integrity/policies.html
Patient Rights How do patients learn about these rights? Beginning in early 2003, patients received a document that describes patient rights and how patient information is handled. This document is known as the Notice of Privacy Practices. In addition, the Notice of Privacy Practices will be available on our web site, in all patient areas, and in the Emergency Department. It is important that you are familiar with the contents of the Notice of Privacy Practices. If a patient has questions about the Notice of Privacy Practices, refer them to your Privacy Officer. A listing of Privacy Officers is located at: http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html
Questions? How do you learn more about patient rights? Contact your Privacy Officer at: http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html
Congratulations You have completed the section on “Patient Rights” This HIPAA course consists of several sections: • An Introduction to HIPAA • Patient Rights • Routine Use of Patient Information • Disclosure of Patient Information – Actively Involved • Business Associate – Extensive • Basic Security Requirements • Research • Conclusion
Routine Use of Patient Information How is patient information protected? Policies have been established governing how patient information can be used. As part of your job, you routinely handle patient information and encounter patients. This module reviews how to appropriately handle these situations to ensure that patient health information stays confidential.
Routine Use of Patient Information Is the fact that a patient was here confidential? Yes. A patient’s presence here must remain confidential. If you recognize a patient, keep it to yourself. Many individuals come here because we provide excellent care. They trust us to keep their presence – and their information – confidential. Do not talk about patients with your colleagues unless it is necessary to do so for your job. Also, it is inappropriate to discuss patients outside of the workplace.
Routine Use of Patient Information It is important to be aware that someone may be able to identify a patient based on the content of your conversation, even if you do not identify the patient by name. For example, at a dinner party you may talk about an extremely rare cancer that was treated with an interesting experimental surgery. If one of the people at the dinner party knew someone with the same extremely rare cancer, your dinner conversation may reveal details about their care. Do not place yourself, your co-workers, or your employer in a compromising situation because you have failed to respect a patient’s privacy. Keep all patient information private. It is the right thing to do.
Routine Use of Patient Information What do you do if you overhear others talking about patients? Occasionally, you may hear others talking about patients. All patient information, written and verbal, is protected by HIPAA. For example, while in an elevator, you might overhear a physician speaking with a resident about a patient. No matter how interesting the conversation might be, do not pass it on. Also, you may want to remind them that they have an obligation to maintain patient confidentiality and should not be talking about patients in front of others not directly involved in their care.
Routine Use of Patient Information If you find yourself in a situation where you need to talk about a patient, pay attention to who may overhear your conversation. Look for a private place to speak if others – especially members of the public – can hear you.
Routine Use of Patient Information What do you do if you unintentionally see patient info? As a member of our workforce, you will occasionally encounter patient information for patients not under your care. Regardless of the way it is encountered, patient information is protected and must remain confidential. For example, you may see a patient’s medical record at a nursing station. You should not look at a patient’s information unless you are directly involved in that patient’s treatment.
Routine Use of Patient Information If you are concerned that others are not being careful with patient information, remind them of their responsibilities to keep that information confidential. It may also be appropriate to notify their supervisor or your Compliance Office. If you feel that a patient’s privacy is not being respected, it may be necessary for you to inform your supervisor or your Privacy Officer. Compliance Office contacts are located at: http://mayoweb.mayo.edu/compliance-integrity/compliancecontacts.html Privacy Officer contacts are located at: http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html
Routine Use of Patient Information How can we use patient information? Patient information can be used for: • Treatment: provision, coordination or management of healthcare and related services for a patient, including communications with other providers about patient treatment or referral of a patient to another provider • Payment: activities undertaken to obtain reimbursement for the provision of healthcare • Healthcare Operations: activities including, but not limited to, quality assurance, medical review, legal services, auditing functions, and general administration
Routine Use of Patient Information If you have questions or need additional information about these terms, contact your Privacy Officer. Privacy Officer contacts are found on the web at: http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html If you use patient information for purposes other than treatment, payment or healthcare operations, you may need to obtain a written patient authorization. Check with your supervisor or Privacy Officer for the appropriate forms and procedures.
Routine Use of Patient Information How much patient information can we use? Your department will determine what types of patient information are required to do your job. The “need-to-know” rule is HIPAA’s minimum necessary standard. Not every employee needs access to a patient’s entire medical record. Clinical staff, such as physicians and nurses, generally need to see the whole patient record in order to properly care for a patient. Other staff, however, may only need the patient address and phone number for appointment scheduling.
Routine Use of Patient Information In addition, not every employee needs access to every patient’s record. Clinical personnel should only access the patient information of patients with whom they have a treatment relationship. “Curiosity viewing” of patient records is absolutely prohibited. Your site has a policy regarding medical record access. Contact your Privacy Officer if you have questions regarding the minimum necessary standard. Privacy Officer contact list is found at: http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html
Routine Use of Patient Information What is your responsibility in providing a patient's information to another staff member? You should verify the identity of anyone who requests patient information from you. Just because a person is asking does not mean that there is a need-to-know. You should be certain that it is necessary for the requestor to see the patient’s information, even if you know the person is an employee of our organization. For additional information about verification of employee identity or authority, contact your Privacy Officer. Privacy Officer contact list is found at: http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html
Congratulations You have completed the section on “Routine Use of Patient Information” This HIPAA course consists of several sections: • An Introduction to HIPAA • Patient Rights • Routine Use of Patient Information • Disclosure of Patient Information – Actively Involved • Business Associate – Extensive • Basic Security Requirements • Research • Conclusion
Disclosure of Patient Information – Actively Involved It is sometimes necessary to disclose a patient’s information outside of our organization. Does HIPAA require patient authorization for disclosure of their health information? HIPAA requires us to obtain patient authorization for certain disclosures. Many other disclosures can still be made without prior patient authorization. Disclosures for treatment, payment, healthcare operations, or those required by law, do not require patient authorization.
Disclosure of Patient Information – Actively Involved What disclosures do not require patient authorization or documentation? • Patient information sent to other providers for follow-up treatment • Patient information sent to insurance companies for reimbursement • Patient information disclosed to accrediting organizations, such as JCAHO (Joint Commission on Accreditation of Healthcare Organizations), to maintain facility accreditation • Patient information given directly to the patient during the course of treatment Disclosures needed for treatment, payment, or healthcare operations do not require patient authorization or documentation of the disclosure. For example:
Disclosure of Patient Information – Actively Involved What disclosures do not require patient authorization but must be documented? Disclosures that generally fall into the category of “public purposes, “ for example, the mandatory reporting of communicable diseases, may be made without patient authorization. These disclosures are more fully described in your policy (http://mayoweb.mayo.edu/compliance-integrity/policies.html ). It is important to note, however, the disclosure must be documented and made available to the patient upon request. If you want more information on public purposes, contact your Privacy Officer (http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html).
Disclosure of Patient Information – Actively Involved What disclosures require patient authorization? Today we get authorizations from our patients for various reasons, which must continue. HIPAA specifically requires patient authorizations for disclosures of psychotherapy notes and for purposes of marketing. If you have questions about the disclosure of a patient’s information without patient authorization or about the circumstances requiring the disclosure of patient authorization, contact your Privacy Officer.
Disclosure of Patient Information – Actively Involved Is there a special authorization form we have to use? HIPAA requires specific criteria that must be included in an authorization form in order to be valid. Authorization forms have been updated to reflect HIPAA requirements. Contact your Privacy Officer with questions. (http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html).
Disclosure of Patient Information – Actively Involved Are there limits to the amount of patient information we can disclose? Yes. The minimum necessary standard applies to disclosures of patient information outside of our organization. If another provider requests information on a patient’s insurance plan, we should send only the information requested and not the entire record. When we request patient information from others, we should ask only for information required for our purpose.
Disclosure of Patient Information – Actively Involved There are four important exceptions to the minimum necessary standard. They are: If you have questions regarding these exceptions, contact your Privacy Officer (http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html). • Disclosures for treatment purposes • Disclosures made directly to patient • Disclosures made based on patient authorization • Disclosures made as required by law
Disclosure of Patient Information – Actively Involved What if a patient does not want to be included in the facility directory? The facility directory contains patient's name, location in the facility, general condition, and religious affiliation. If a patient requests not to have this information disclosed to the public, we need to comply. The patient’s directory information will remain available to our internal staff so that we can locate the patient.
Disclosure of Patient Information – Actively Involved How do we verify someone's identity? We must make reasonable efforts to verify identity of someone requesting patient information with the following exceptions: • When a person asks for information about a patient (by name) from the facility directory • Where the disclosure is to a family member or friend involved in the care of the patient, and the patient allows them to participate One method of verification is to provide a form of government-issued identification, such as a driver’s license or a passport. When a government official asks for patient information, ask to see documentation that demonstrates they work for the government.
Disclosure of Patient Information – Actively Involved How do we verify that a requestor is entitled to see the patient information they are requesting? In addition to verifying their identity, requestors must also prove that they have the right to see the patient’s information. For example: • The requestor presents an authorization signed by patient • The requestor demonstrates that they are a government official seeking information for a purpose that does not require patient authorization (such as a state health agency or a licensure survey)
Disclosure of Patient Information – Actively Involved For more details, ask your Privacy Officer (http://mayoweb.mayo.edu/compliance-integrity/privacycontacts.html) or contact the Legal Department to determine who may obtain patient information. Also be sure to review your policies on verifying the identity of a person requesting to see patient information. (http://mayoweb.mayo.edu/compliance-integrity/policies.html)
Disclosure of Patient Information – Actively Involved Can patient information be released to people and organizations with whom we do business? Yes. The HIPAA privacy rule allows us to release patient information to persons or organizations that assist us. The people and organizations that receive patient information in order to perform a service or function for us are called our “business associates.” Further information about business associates and business associate agreements is provided in a later module of this course.