350 likes | 605 Views
Committed To World Class Service. HIPAA: YOUR GUIDE TO PRIVACY AND SECURITY at SALINA REGIONAL HEALTH CENTER . Revised October 2013. Committed To World Class Service. HIPAA - WHAT IS IT?
E N D
Committed To World Class Service HIPAA: YOUR GUIDE TO PRIVACY AND SECURITY at SALINA REGIONAL HEALTH CENTER Revised October 2013
Committed To World Class Service • HIPAA - WHAT IS IT? • HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Until HIPAA was passed, rules to protect personal health information did not exist. Congress saw HIPAA as an opportunity to move health care into the electronic age.HIPAA sets national standards for the written, oral, faxed, and electronic management of patient information. It is illegal to violate HIPAA. • HIPAA: • requires healthcare organizations to notify patients of their health information rights. • requires healthcare organizations to obtain patient consent before sharing protected health • information with others unless the information will be used for treatment, payment, or • healthcare operations. • sets standards to protect the integrity, availability, and confidentiality of information. • WHO MUST ABIDE BY HIPAA? • Healthcare providers-hospitals, clinics, nursing homes, physicians, suppliers, and others who furnish, bill, and/or are paid for providing healthcare services • Health plans- group health plans, health insurance issuers, Medicare, Medicaid, and all governmental healthcare programs for military personnel, their dependents, veterans, etc. • Clearinghouses - billing services, repricing companies, "value-added" networks, etc., that are involved in the processing of health claims
Confidential Information Confidential information takes on many forms. It can be information printed on paper, or data files stored on a computer, a hand-held device such as a smartphone, computer media, or voice mail. Regardless of the form it takes, you are responsible to protect it from unauthorized disclosure or modification.
Committed To World Class Service • HIPAA VIOLATION PENALTIES • In addition to internal disciplinary action, HIPAA violations can lead to civil sanctions and fines. Criminal penalties for "wrongful disclosure" could result in large fines and/or jail time. Serious offenses include: • knowingly releasing patient information. This can lead to one year in jail and a $50,000 • fine. • gaining access to health information under false pretenses. This can lead to five years in • jail and a $100,000 fine. • releasing patient information with harmful intent or selling patient information. This can • lead to ten years in jail and a $250,000 fine. • Due to the Kansas Risk Management law, if an investigation determines that an employee has committed a privacy violation, the violation will be reported to the employee's licensing agency. • REMEMBER - HIPAA VIOLATIONS CAN HAVE SERIOUS CONSEQUENCES!
Committed To World Class Service HIPAA- THINK ABOUT IT In today's world, health information is easily transported and increasingly accessible. Information management technologies increase the risks and threats to the privacy of personal health information. HIPAA provides a structure for compliance with standards to protect the privacy and security of health information. • No matter where you work (health center, lab, radiology, business office, doctor's office, volunteer services, information technology, patients' homes, etc.), or whether you have a direct patient care role or not, it is important to know the meaning of privacy, security, and confidentiality! • As a student at SRHC, you are expected to keep privacy, security, and confidentiality central to • providing quality care. • Remember that PATIENTS have the right to control who sees their health information. • In the past, privacy, security, and confidentiality were considered to be ethical • obligations. Despite this, many situations led to health information ending up in the wrong • hands. HIPAAseeks to correct breaches of privacy, security, and confidentiality. • REMEMBER - MAINTAINING PATIENT PRIVACY, SECURITY, AND CONFIDENTIALITY IS • THE LAW!
Committed To World Class Service • HIPAA: IMPACT ON CLINICAL PRACTICE • HIPAA has had a significant impact on clinical practice. HIPAAdoes the following: • Gives patients more control over their health information. • Sets boundaries on the use and release of health records. • Establishes safeguards that healthcare providers and others must provide to protect the privacy of • health information. • Holds violators accountable, with civil and criminal penalties that can be imposed if it is determined • that a patient's privacy rights were violated. • Strikes a balance when public responsibility supports disclosure of some data to protect public health • (as in the case of child abuse). • HIPAAchanges every facet of health care, including the way clinicians work, how data is accessed, how healthcare information is stored and shared, and authorizations and consents. It is important that you: • share or use only the minimum amount of health information necessary to communicate information • about patients. • are aware of what patient information you are legally allowed to share and with whom. • discuss a patient's personal health information in private. • shred patient information instead of just throwing it in the trash. • never leave patient information unattended in an area where unauthorized people can see it.
Committed To World Class Service • COMMUNICATION OF HEALTHCARE INFORMATION • HIPAA dramatically changes how healthcare information is communicated. Keep in mind: • Display of patient information on a white board must be out of the view of the public. • Phone communication requires more verification prior to giving out patient information. • Communication with or about patients that involves sharing patient health information must be • conducted in private and limited only to those who need to know the information in order to provide • treatment, payment, and/or healthcare operations. • It is important for you to know to whom patients have approved the release of personally identifiable • health information.
Committed To World Class Service • HIPAA- TERMS TO KNOW • Health Information (HI) - refers to information in ANY form (oral, written, electronic) related to an • individual's past, present, or future physical or mental health, including the services delivered and • the method of payment. • Protected Health Information (PHI)- refers to any individually identifiable health information • (IIHI) that is transmitted or maintained in any form. • Electronic Protected Health Information (EPHI) -refers to any individually identifiable health • information that exists in or is transmitted in electronic form. • WHAT IS IDENTIFIABLE INFORMATION?
Committed To World Class Service • DID YOU KNOW? • Patients are concerned about privacy. In a November 2000 Gallup Poll commissioned by Medic Alert: • 77% of the people surveyed feel their personal health privacy is very important. • 84% were somewhat to very concerned that their personal health information might be available • without their consent. • 90% said they trust their doctor to keep their personal health information private and secure, and • 66% said they trust a hospital to do the same. • 42% said they trust their insurance company. • Only 7% were willing to store or transmit personal information on the Internet, and only 8% felt a • web site could be trusted.
Committed To World Class Service • MISUSE OF HEALTH INFORMATION • People assume that discussions they have with healthcare providers will remain private. They expect that their private health information will not be shared inappropriately with others. When people don't trust healthcare providers, they: • do not obtain treatment. • give incomplete or inaccurate information. • try to pay for services out of pocket to prevent insurance claims. • change healthcare providers frequently. • ask physicians to NOT document actual conditions.
Committed To World Class Service Sshhh: PRIVATE MEANS PRIVATE If your role as a student requires you to discuss healthcare information with patients, be sure to assess the environment before you start talking. Are there other people in the area who might hear the information you are sharing? Are those people authorized to hear the information you are sharing? Patients have the right to expect that they can talk to their healthcare providers in private and that their protected health information will be shared with (or overheard by ) only those people they have authorized. RESPONSIBILITIES You should also use caution when discussing information with other providers involved in a patient's care. Make sure that people who DON'T NEED TO KNOW about a patient's medical condition don't hear your conversations.
Committed To World Class Service • HIPAA AND PATIENT RIGHTS • HIPAAregulations give patients the right to: • determine who can see and hear their personal health information (PHI). • inspect their medical records and, for a reasonable fee, obtain copies of those • medical records if they want them. • restrict the use and release of information. • file complaints based on violation of privacy rights. • exclude their names from patient directories. • request confidential or alternative communication methods. • request a list of when and where their confidential information was released.
Committed To World Class Service HIPAA AND CONFIDENTIALITY As a student in a healthcare setting, it is important that you take steps to protect the privacy of patients.
Committed To World Class Service PROTECTING PRIVACY: IT'S EVERYONE'S JOB!
Committed To World Class Service PROTECTING PRIVACY: IT'S EVERYONE'S JOB!
Committed To World Class Service • HIPAA AND THE HOSPITAL DIRECTORY • The following protected health information can be maintained in a patient directory: name, location in the hospital, condition described in general terms (good, fair, poor), and religious affiliation. SRHC must inform patients of the protected health information that may be included in the directory and to whom it might release the information (including clergy). SRHC provides patients with the opportunity to restrict or prohibit some or all of the uses or disclosures. • If a patient chooses to have his/her name published in the directory, then patient name, room number, • general condition (serious, poor, fair, good, etc.) will be given to people who ask for the patient by • name. • If a patient chooses NOT to have his/her name in the directory, then mail will be returned, flowers will • not be delivered, and people asking for the patient by name will be told, "There is no one by that name • listed in our patient directory." • Patients who do NOT want to have their names in the directory will be listed on the white board using • first and last initials. Additionally, a star should be placed by those patients' initials.
Committed To World Class Service TIME OUT FOR PRACTICE Hilda is observing on a unit in the hospital where Celia, a member of her church, is currently hospitalized. Hilda knows that Celia's family could use some help with meals, transportation, and babysitting. Hilda also knows that members of the church would be happy to help Celia's family, but the problem is that nobody from church knows that Celia is in the hospital. Hilda can get Celia's family the help it needs by making a quick phone call to the church. Click to the next screen to find out the correct answer.
Committed To World Class Service TIME OUT FOR PRACTICE Hilda is observing on a unit in the hospital where Celia, a member of her church, is currently hospitalized. Hilda knows that Celia's family could use some help with meals, transportation, and babysitting. Hilda also knows that members of the church would be happy to help Celia's family, but the problem is that nobody from church knows that Celia is in the hospital. Hilda can get Celia's family the help it needs by making a quick phone call to the church. Before Hilda can call the church, Celia must give her authorization. If Hilda calls the church without getting Celia's authorization, she is in violation of HIPAA regulations.
Committed To World Class Service TIME OUT FOR PRACTICE You hear a "Code Blue" called on the Mother/Baby unit, and you are curious to know who coded and why. You know the unit secretary on Mother/Baby, so you call her to find out what happened. Click to the next screen to find out the correct answer.
Committed To World Class Service TIME OUT FOR PRACTICE You hear a "Code Blue" called on the Mother/Baby unit, and you are curious to know who coded and why. You know the unit secretary on Mother/Baby, so you call her to find out what happened. Based on the information provided in the scenario, you are seeking information out of curiosity. It doesn't matter that you promise to keep the information to yourself. You do not NEED TO KNOWany information about the patient who coded and why she coded; therefore, the unit secretary should not give you the information you are requesting.
Committed To World Class Service KEY POINTS REGARDING TECHNOLOGY:
User IDs Your user ID uniquely identifies you. You are responsible for all actions associated with your user ID; therefore, it is important to ensure that your user ID is used only by you and no one else. You will be held responsible for the actions of another individual if you allow them to obtain and use your user ID and password or allow them access to patient information in a clinical application while you are logged on.
Committed To World Class Service • COMPUTER WORKSTATIONS • Take these steps if you work with computers: • Angle your computer away from public access/view. • Keep all PDA's, laptops, and media locked up when not in use. • Log off the system at the end of the work day. Log-off or lock the workstation when you leave your work area. • Even if you don't share a computer with someone else, it is possible that someone could try to • illegally access information on your computer. Never leave secure information unattended while • you are logged onto a secure system. • Never allow anyone to use a secure system for which he/she does not have access after you have logged onto the system.
Committed To World Class Service TIME OUT FOR PRACTICE A classmate needs to look up information on a patient; however, you are currently logged into the computer he needs to use. You tell him to "go ahead and look up the information" and then log off the computer. Four months later, while checking up on a reported HIPAA violation, investigators discover that patient information was inappropriately accessed under your log-in. The problem is, you know you weren't the one who did it! Click to the next screen to find out the correct answer.
Committed To World Class Service TIME OUT FOR PRACTICE A classmate needs to look up information on a patient; however, you are currently logged into the computer he needs to use. You tell him to "go ahead and look up the information" and then log off the computer. Four months later, while checking up on a reported HIPAA violation, investigators discover that patient information was inappropriately accessed under your log-in. The problem is, you know you weren't the one who did it! Remember, once you log into a computer, ALL ACTIVITY UNDER YOUR LOG-IN IS TRACKED AND ATTACHED TO YOUR NAME.
Personally Owned Devices The IT department must approve any personally owned devices (including, but not limited to, laptops, tablets, iPads, and digital cameras) prior to being connected to workstations or the internal network. SRHC offers a “guest” wireless network for our patients, visitors or contractors. You may use personally owned devices with the guest wireless network on your personal time.
Texting and Cell Phones Text messaging is not a secure form of communication. Text messaging of confidential information is not allowed. Taking pictures of computer screens containing confidential information is also not allowed.
Reporting Security Incidents Notify the IT Help Desk (extension 7792) and your supervisor if you become aware of or suspect the following: – Theft of or damage to equipment – Unauthorized use of user passwords – Policy violations – Any other problems or questions with information security or patient privacy
TheOmnibus Rule and Business Associates • The HIPAA Rules define “business associate” to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI. • Disclosure means the release, transfer, provision of, access to, or divulging in any manner outside the entity holding the information. • Access means the ability or means necessary to read, write, modify or communicate data/information or otherwise use any system resource.
TheOmnibus Rule • Applies to: • Covered Entities (CE) refers to providers, hospitals, health plans • Business Associates (BA) • Subcontractors to Business Associates that handle Personal Health Information (PHI) on behalf of Business Associates
Business Associates • BAs must comply with the technical, administrative, and physical safeguard requirements, as well as the policies and procedures and documentation requirements, for ePHI under the HIPAA Security Rule. • Direct liability for BAs under HIPAA would attach regardless of whether a BA, contractor and/or subcontractors have entered into the required business associate agreements.
Committed To World Class Service HIPAA: SUMMARY As you go about your daily job tasks, keep HIPAAin mind. Think of every item of information or data about any person who obtains service from SRHC as health information. As you deal with patients and/or their information, keep in mind:
Committed To World Class Service • HIPAA: IF YOU HAVE QUESTIONS • For questions about privacy issues at SRHC, contact Kallie Burgardt, Privacy • Officer, Ext. 6897. • For questions about computer security issues at SRHC, contact Larry Barnes, Chief • Information Officer, Ext. 7703. • TO REPORT A BREACH OF PRIVACY OR SECURITY, CONTACT BECKY GROSLAND, COMPLIANCE OFFICER, EXT. 7094. • If a patient believes his/her right to privacy has been violated, he/she can write a letter of complaint and send it to SRHC or the U.S. Department of Health and Human Services. Contact Kallie Burgardt for details. THERE IS NO PENALTY FOR FILING A COMPLAINT.
Committed To World Class Service HIPAA Our patients trust you to keep their information private and secure. Remember, “Entrusted with people's lives, we are privileged to provide quality healthcare service in a healing and spiritual environment."