160 likes | 249 Views
E N D
At Medical Center Hospital, we believe protecting patient confidentiality is doing the right thing because it’s the right thing to do. We must all work together to show our patients that protecting the confidentiality and security of their protected health information (PHI) is as important to us as their health. This training session will be followed by a quiz, 80% correct is required to pass.
Just what is HIPAA anyway? Let’s look and see! The Health Insurance Portability and Accountability Act is a federal law enacted in 1996. It sets national standards for the privacy and security of electronic protected health information (ePHI). It also helps prevent fraud and abuse and simplifies billing to help reduce health care administrative costs. Disclosures without proper authorization can carry hefty fines and even jail time---and those fines are not limited to covered entities. Individuals may be fined and/or jailed also.
What is a covered entity? A covered entity is any person, group of people, company, establishment, health plan or clearing house for electronic billing and business associates that provides health care or social services or maintains PHI in support of health care or social services. What is PHI? Protected health information is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This includes any part of a patient’s medical record or payment history. PHI relates to past, present or future conditions of an individual; provisions of healthcare to an individual or for payment of care provided to an individual transmitted or maintained in any electronic, paper or oral form. Examples of PHI are: name, address, street, city, zip code; any date (birth, admit, discharge, death); telephone and fax numbers; electronic addresses; social security number; medical record number. A complete list of PHI identifiers is provided later in this training.
What is a Business Associate? Most health care providers and health plans do not carry out all activities and functions by themselves. They often use a variety of other persons or businesses. The Privacy Rule of HIPAA allows covered providers and health plans to disclose PHI to these “business associates” if satisfactory assurances are obtained that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.
When can PHI be shared? • For treatment of the patient (direct care; coordination of care; consultation; referrals) • For payment of health care bills • For healthcare operations/business management such as quality improvement, compliance, competency and training • For disclosures required by law • For public health or other governmental reporting • When the patient gives written authorization
De-identification of PHI: De-identification requires the elimination not only of primary or obvious identifiers such as the patient’s name, address, date of birth (DOB), and treating physician, but also of secondary identifiers through which a user could deduce the patient’s identity. To be completely de-identified, the following identifiers of the individual (or of relatives, employers, or household members of the individual) must be removed: To be completely de-identified, the following identifiers of the individual must be removed: Names address information smaller than a state (street address, city, county, zip code) names of relatives and employers all elements of dates (except year) including DOB, admission date, discharge date, date of death all ages over 89 telephone numbers fax numbers email addresses Social Security Number medical record number health beneficiary plan number account numbers certificate/license number vehicle identifiers, including license plate numbers device ID and serial number Universal Resource Locator (URL) Identifier Protocol (IP) addresses biometric identifiers, including finger and voice prints full face photographic images and comparable images any other unique identifying number, characteristic, or code
A Notice of Privacy Practices is required! Covered entities must provide a notice that tells a patient how the covered entity may use and share their health information and how the patient can exercise their health privacy rights. In most cases, a patient received this notice on their first visit to a covered entity. Updates are required if changes are made to the notice.
Refrain from discussing PHI in public areas, such as elevators, hallways and reception areas, unless doing so is absolutely necessary to provide treatment to one or more patients such as in a disaster situation. We all want our privacy protected when we are patients. It’s the right thing to do. Don’t be careless or negligent with PHI in any form. HIPAA and Texas state law require us to protect a patient’s privacy.
Disclosure of PHI without Permission • = + HIPAA BREACHES CAN BE COSTLY—for you! Employees can lose their jobs, contractors can lose their contracts and everyone is subject to civil and criminal liability. Unauthorized disclosure of a patient’s health information must be reported. Anyone who knows, or has reason to believe, that another person has violated one or more rules under HIPAA has the right and responsibility to report the matter promptly to his or her supervisor, the MCH Compliance Office or the government agency named The Office of Civil Rights. The incident will be thoroughly investigated. Covered entities are required by law to attempt to remedy the harmful effects of any breach. Disclosures without proper authorization can carry hefty fines---and those fines are not limited to covered entities. Individuals may be fined also. Fines and penalties for HIPAA violations are higher when the offense is deliberate. A recent court case resulted in prison time for employees who stole and used patient information to obtain health care using the stolen information.
SECURING PHI Protecting Patient Privacy requires us to secure the patient’s information. ePHI (Electronic Protected Health Information) is any computer-based patient health information that is used, created, stored, received or transmitted using any type of electronic information resource such as a personal computer, laptop computer, tablet computer, smartphone or cellphone. Because technology is continually evolving, the list will change but the generally accepted rule is----if it’s electronic, it’s covered by HIPAA. Physician portal users are assigned a unique user id for login purposes. Using someone else’s user id and/or password is not allowed. All access to the physician’s portal at MCH is logged. If you allow someone to use your log-in credentials and they do something wrong or illegal, YOU get the blame. You can be written up, lose your computer access and/or get fired for something someone else did while using your log-in credentials.
INFORMATION ON THE MOVE FAXING is permitted. A cover sheet containing a confidentiality statement must always be included. Always check the fax number prior to dialing it. Double check the number you typed in on the fax screen before pressing the send button. Fax numbers change and many faxes have been received by people who should not receive them. The cover sheet should tell the person what to do with a fax that goes astray. ENCRYPTIONIf you must send PHI in email to someone outside MCH, you must contact the I.T. Department so you can have the hospital approved encryption product installed on your computer or the PHI must be de-identified. De-identification of PHI means removing any information that can be used to link that information back to an individual.
PORTABLE STORAGE DEVICES Don’t store ePHI on portable storage devices. If you MUST store PHI on a device that is portable, either de-identify it or encrypt it. Delete it when it is no longer needed and always protect the device from loss and damage. Remember that you are solely responsible for anything you do with protected health information.
Remember: YOU are responsible for everything that occurs under your portal login. • Log off before leaving a computer unattended. This will limit accidental access of ePHI under your user id. • Passwords are not to be written down or posted. Passwords cannot be sent in in any kind of electronic communication such as email or in a text message. • Looking at someone’s medical information without proper authorization and/or a medical need to know is wrong and all instances of access to patient records are recorded. • If you think someone knows your password, immediately report the breach and change your password. • Automatic screen savers are good ways to prevent accidental exposure of ePHI.
You have completed the training portion of our Online Education * You WILL have to register the first time you take this test.