800 likes | 2.38k Views
HIPAA Basics: Privacy. As health care providers, we have always been called upon to maintain the privacy and confidentiality of patient health information. This is an ethical and legal obligation that we hold as nurses and as nursing students .
E N D
As health care providers, we have always been called upon to maintain the privacy and confidentiality of patient health information. This is an ethical and legal obligation that we hold as nurses and as nursing students. Until recently, patient medical records were recorded and maintained primarily on paper. Records were then filed and stored in physician offices, hospitals, and other health care areas. These records were kept safe in locked cabinets or closets. The History of HIPAA
The History of HIPAA • With increasing technology, we are able to maintain electronic files that allow more flexibility in communicating information. • It is now easier to quickly share records between offices, clinics, and hospitals which results in minimized storage requirements. • In addition, we are better able to track and analyze data that helps improve quality of care while controlling costs.
Information Accessibility • According to the American Health Information Management Association (AHIMA), an average of 150 people have access to patient medical records during a typical hospitalization. • This may include: nursing staff, housekeeping, x-ray technicians, physicians, food service staff, billing clerks, etc. • Because so many people have access to patient information, it is our responsibility to ensure that medical files are accessed only by those needingthat information to provide care.
The History of HIPAA The U.S. Federal government passed a law in 1996 that created national standards to protect patient medical records and other personal health information. This Federal legislation is called the Health Insurance Portability and Accountability Act(HIPAA)
The History of HIPAA • HIPAAwent into effect on April 14, 2003. • It sets forth minimum standards that all facilities must follow to protect patient information. • The key term associated with these privacy rules is Protected Health Information or PHI. • PHI covers all of the following: • Information used within a facility • Verbal or written information • Information stored in computer files • Patient information stored in paper files • Data shared between providers, payers or third parties
Every health care organization is expected to develop policies and procedures to guide HIPAA practices within their facility. Every person who provides care or assistance to patients in that facility is expectedto understand and comply with HIPAA regulations. It is essential that all patient health information be kept confidential. Organizations or individuals that violate HIPAA rules are subject to monetary fines (up to $250,000!) and civil or criminal charges (up to 10 years in jail!). Failure to comply may also: hurt the reputation of the facility put accreditation at risk result in costly lawsuits Failure to Comply
The goal of the HIPAA privacy program is to protect confidential information from improper use or disclosure. What does this mean to you? HIPAA Goal
Administrative Requirements Every agency must: • Appoint a Privacy Officer. • Develop policies and procedures that guide HIPAA implementation, evaluation and revision. These must include actions taken for those who do not follow the directives. • Provide education on HIPAA and organizational policies/procedures. • Develop a process for handling privacy related complaints. • Ensure no retaliation occurs against someone who reports potential violations in good faith. • Take appropriate action to minimize any harm that may result from breach of privacy. • Ensure processes are in place to demonstrate compliance with documentation and record keeping.
YOUR Responsibility • You must protect confidential information about patients and use information only to perform your role as a student nurse in that agency. • It is your responsibility to be sure patient information is only disclosed to others who have a legal right to it. • What information needs to be kept private? • All information that identifies an individual is considered confidential. • This includes: (but is not limited to) name, address, date of birth, phone/fax number, SS number, medical record or hospital number, room number, photographs, etc • It also includes: nursing and physician notes, treatment plans, and billing/insurance records
HIPAA Patient Rights HIPAA guarantees these rights to patients: • Right to privacy • Right to confidential use of protected health information (PHI) for treatment, billing, and other health care operations (such as quality improvement) • Right to access and amend their health information upon request • Right to provide specific authorization for use of their health information other than for treatment, billing and other operations • Right to have their name withheld from patient directories (having their name not listed as being present in a facility other than for treatment, billing, and other operations) • Right to request that information concerning their care is not released to specific individuals • Right to request that specific individuals are not told of their presence in a facility
Every patient should receive a document called a Notice and be asked to sign an Authorization. This Notice gives patients: Information about their rights. A description of how their PHI may be used by the facility. A comprehensive list of others to whom their health information may be disclosed. The Notice must be given to the patient on the first treatment date or as soon as is practical in an emergent situation. HIPAA Patient Rights
HIPAA Patient Rights • An Authorization is a form: • signed by the patient for use and disclosure of specific PHI that are not related to treatment, payment, or health care operations. • There are some uses and disclosures where an authorization is not required. • When in doubt about information for which a signed authorization is required…. ~ PleaseASKyour instructor ~
HIPAA Patient Rights What do YOU need to know? • Patients have the right to register complaints with Federal agencies and with the facility if they feel their rights have been violated. • Every facility has a Privacy Officer who is responsible for overseeing HIPAA implementation. • If you are uncertain about what information may be given out, talk to your instructor, a nurse on the unit where you are assigned, or contact the Privacy Officer.
Review Question The goal of HIPAA is to catch staff sharing patient protected health information (PHI) with those who do not need the information.... True or False? To see the correct answer, click NEXT.
Answer FALSE The goal of HIPAA is to protect confidential patient information from improper use or disclosure. If you see an apparent violation, you should report it to your instructor who will immediately assist you in contacting the Privacy Officer.
Unauthorized Disclosures One of the biggest threats to patient privacy is UNINTENTIONAL disclosure of information ~ Examples include: • Discussing patient information where other patients, visitors or staff may overhear ~ such as in elevators, hallways, dining facilities, or other common areas. • Leaving sensitive information in a location where patients or visitors could possibly see it.
Unauthorized Disclosures Another threat to patient privacy is when a staff member intentionally uses or discloses information in an unauthorized way: • Copying information and taking it home • Removing medical records and giving them to those with no legal right of possession • Deliberately sharing information with unauthorized persons (family members, friends, colleagues, news reporters, etc) • Using confidential information to gossip about patients • Leaving a computer unattended after logging in to an application • Sharing passwords with others or leaving passwords around a computer
Always be cognizant of: Where you are Who is around you What information can be seen or heard How you can “minimize possible incidental disclosure to others” You must ensure that PHI is only shared: With those who need to know At the minimum level necessary In order to provide safe, effective, and efficient care As a Student Nurse: Don’t browse through a patient charts or files out of curiosity Access only portions of medical record that you need to perform your role as a student nurse It is essential that everyone with access to PHI be aware of what is going on in their surroundings. Unauthorized Disclosures
Review Question One of the privileges of working in healthcare is that we have access to our friends and families PHI so we know when they have an illness…. True or False? To see the correct answer, click on NEXT.
Answer FALSE We do not have a right to access health information for anyone, including family members, unless it is essential for patient care. If you inadvertently view/hear patient information that is not necessary for you to provide care, you cannot share that information with anyone else.
Before you can legally release PHI(in person, by phone, or in writing): You must confirm the identity of the person requesting Determine if the requesting person is entitled to the information Verify what specific information this person is permitted to have How can you verify identity? A photo ID Password chosen by patient to ensure confidentiality Information known by those close to patient & who are permitted to access PHI (ie; middle name, DOB, mother’s maiden name, name of HS/College, etc) Verify Identity
Security Rules • Privacy Rules (which we have been discussing up to this point) identify what information is protected and define how and when PHI may be usedor disclosed. • Security Rules(used in addition to Privacy Rules) apply to PHI that is sent electronically . These rules govern PHI that is being transmitted, used, or stored in electronic format. • KEY COMPONENTS • Physical Security: protects computer hardware, wiring, systems, areas, and buildings • Technical Security: determines the type of information thatmay be accessed by individuals via computer • Technical Security Mechanisms: automatically monitor computer systems and report suspicious activity • Administrative Procedures: outline steps taken by the facility to enforce Security Rules These define the basic level of security that must be in place to comply with HIPAA
In order to protect PHI, it is important for us to understand how information is stored, transmitted, and utilized. Examples are: Faxes, Emails, Computer Reports As STUDENTS, ifyou are placed in a situation that requires you to email or fax PHI, consult your instructor about the proper procedure. Be especially mindful that any clinical information/communication is delivered to the intended person or destination! Electronic Communication
Case Scenario Dr. Williams asks Sue, a nurse, to bring up patient lab results on the computer at the nurse’s station. He does not see anyone in the area and he asks Sue to turn the monitor around so he can see it. There is no one near the desk when the screen is turned toward him. When Dr. Williams is finished, Sue turns the screen back around, away from public view. Dr. Williams and Sue violated HIPAA by turning the screen and viewing the lab results…. True or False? To see the correct answer, click NEXT.
Case Answer FALSE Because they took the time to examine their surroundings and make certain no unauthorized persons were near, they did NOT violate HIPAA. Turning the screen around and then returning it to a secure position is an acceptable practice. If there were visitors or other staff present, the doctor would have to go behind the desk and view the screen.
During your clinical experiences, you will encounter many documents that contain confidential information (PHI). It is YOUR responsibility to keep these documents out of public view! At your clinical site, NEVER leave documents where they may be accessed by unauthorized persons ~ even accidentally. Faculty often utilize visitor lounges, conference rooms, or other common areas for post-clinical discussion. In these public areas, it is especially important that you do not have papers/medical information where it could be seen by others. When you are finished with documents containing patient information, DISPOSE of them in designated containers ONLY! Paper Communication
Case Question Julie is a nurse entering information into a patient chart at the nurse’s station where visitors often come to ask questions. Jeff, another nurse, steps out of a patient room and asks Julie for help. Julie leaves the chart open on the desk, then goes to assist Jeff in the patient’s room. Leaving the chart open on the desk is OK since the nurse will be right back and trying to find her place would waste too much time…. True or False? To see the correct answer, click NEXT.
Case Answer FALSE The best way to maintain patient confidentiality is to NEVER leave records open & unattended. Closing the chart is a good first step. In a non-emergent situation, always return the chart to its designated location before leaving the area. In an emergency, secure the chart using your professional judgment, then assist with the emergency.
Verbal Communication Nursing is a collaborative team effort and is never practiced in isolation. As a result, there are many times when you will NEED to discuss patient information with colleagues. What should you do then ??? REMEMBER: • Only discuss information relevant to patient care • Include only individuals involved with the particular issue • Choose an area that is private to discuss the case • Check the surroundings to ensure no one will overhear confidential information
Case Scenario Jennifer, a nurse, and Tom, a physical therapist, are eating lunch together in the cafeteria. They begin discussing a patient for which they are both providing care. The cafeteria is crowded and others overhear them refer to the patient by name. They are violating HIPAA in this situation…. True or False? To see the correct answer, click NEXT.
Case Answer TRUE NEVER discuss PHI in areas where others may overhear!! If you need to discuss patient care with a co-worker, speak softly in an area away from the public.
The adult daughter of an elderly patient is in the room when the doctor comes in to review the patient’s test results. The patient introduces his daughter and then asks about the test. The doctor proceeds to explain the results in front of the patient’s daughter. The doctor violated HIPAA by talking about the test results with the daughter present in the room…. Case and Question True or False? To see the correct answer, click NEXT.
Case Answer FALSE Because the patient asked about the results with his daughter in the room, the doctor can assume that it is appropriate to discuss the results in front of her .
In the Radiology waiting room, an X-Ray Technologist calls the next patient by saying, “Jane Smith, we are ready for you in the sonogram room.” The X-Ray Tech violated HIPAA by calling out the patient’s name and test to be performed…. Case Question True or False? To see the correct answer, click NEXT.
Case Answer TRUE Healthcare employees are allowed to call out patient names in a waiting room. However, no other information should be communicated within the public area. The X-Ray Tech should not have mentioned the room to which the patient was going. Stating, “Jane Smith, we are ready for you now,” is acceptable.
Non-Retaliation Policy • Every institution is required to have a policy in place to safeguard the rights of a person who, in good faith, reports a privacy violation. • Action should not be taken against anyone: • Exercising their rights, including filing a complaint • Filing a complaint with the Department of Health and Human Services (DHHS) • Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing • That believes an act or practice is against the law Remember, anyone reporting a violation must believe there is a problem BUT, they may not use or disclose PHI to address their concern.
Complaints If you feel there has been a privacy violation, inform your instructor and they will immediately assist you in contacting the Privacy Officer. You should refer patients who have a privacy concern or complaint to the charge nurse on the unit.
All health information that specifically identifies an individual (PHI) is considered confidential! Protecting the privacy of patient information is everyone’sresponsibility. As a Student Nurse, you are an active part of this program. Be sure to access only the information needed to perform your assigned responsibilities. Be aware! Don’t intentionally or unintentionally disclose PHI ~ Help others do the same. If you suspect a HIPAA violation, notify your instructor who will immediately assist you in contacting the Privacy Office. Summary
Thank You! • Thanks to…. ~ Memorial Medical Center ~ ~ OSF St. Joseph Hospital ~ …for assistance with this HIPAA module! • You are now ready to take the Final QUIZ!