hipaa inservice
TRANSCRIPT
HIPAA
2
What is HIPAA? HIPAA stands for the Health Insurance
Portability and Accountability Act of 1996 A national law that prohibits the violation of
patient privacy and establishes standards for the privacy and security of Individually Identifiable Healthcare Information
3
Who Must Comply? Covered Entity (CE): Health Plans, Clearing Houses,
and Providers who transmit any health information in electronic form in connection with a standard transaction. Examples
Insurance Companies Ambulatory Care Facilities ~The Stone Center Same Day SurgiCenters Hospitals Physician Offices Business Associate (BA)
4
Business Associate (BA)A business associate is a person or entity that
performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. For example: Pharmacy Consultant, Information Management Consultant, The Board of Governors, etc. They may have access to patient information but it is used for the purpose of The Stone Center not for their own personal use.
HITECH -ADDITION TO HIPAA
5
The Health Information Technology for Economic and Clinical Health Act, abbreviated HITECH Act, was added to HIPAA effective in 2013.The HITECH Act provides financial incentives for the use of electronic health records(EHR) in healthcare as well as regulations for electronic use and transmissions.
6
HITECH -ADDITION TO HIPAAAs technology has evolved HITECH stipulates that that technologies and technology standards created under HITECH do not compromise HIPAA privacy and security laws. It requires:•The healthcare providers' Business Associates (BA) are accountable for the same liability of data breaches as the providers themselves.•Increased fines and penalties for breaches •Requires practices to notify patients of any unsecured data breaches related to Protected Health Information (PHI)•Requires patients and designated third parties to be given access to their PHI in an electronic format if available
7
What is PHI? Protected Health Information (PHI): All
individually identifiable health information held or transmitted by The Stone Center or its business associate in any form
Examples: Insurance Information Billing Information Patient Satisfaction Surveys Discharge Summaries Medical Records
PHI is Confidential!!
8
What is Confidential? All information about patients is considered
private or “confidential,” whether written on paper, saved on a computer, or spoken aloud.
Individually identifiable data or data that identifies an individual patient such as the following must be carefully considered: Name, address, SSN, age Illness, treatments, medications, notes
9
Use and Disclosure of PHIHIPAA refers to the Use and/or Disclosure of PHI for
the purpose of: Treatment – the provision of health care Payment – the provision of benefits & premium
payment Operations – normal business activities
(reporting, data collection & eligibility checks, etc.)These terms are collectively referred to as TPO.
PHI must not be used outside of TPO!
10
Disclosure/Sharing-”Giving” PHI HIPAA states that The Stone Center must share
only the minimum necessary PHI Before sharing PHI, ask yourself:
“Does this person need this PHI to treat the patient, receive payment or conduct eligibility?
Limit exposure of PHI to only what is needed to perform your job
11
ScenarioA co-worker calls you and asks for information about his friend’s procedure at The Stone Center. How do you respond?
12
AnswerBefore looking at a patient’s health information, ask yourself one simple question: “Do I need to know this todo my job?”
If the answer is no, STOP! Do not attempt to accessthe PHI. If the answer is yes, you have nothing to worryabout.Before sharing a patient’s health information, ask yourself: “Does this person need to know this to dotheir job?”If you reveal any information to someone who doesnot need to know it, you have violated a patient’sconfidentiality, and you have broken the law!
13
ScenarioA physician’s office calls to get
information on a patient who was treated at The Stone Center. Do you give the information to the office?
You must receive a request from the patient that allows for his medical information/record to be given to the physician’s office. Once the request is received the information can be sent to the requesting physician.
14
What happens if you break the law???
15
SanctionsDisciplinary sanctions can be
imposed, up to and including termination, on employees who breach patient confidentiality.
The severity of the sanction will be based on the nature of the violation and include fines and prison.
16
HIPPA ALLOWS You are permitted to disclose PHI with or without authorization, outside
of TPO to a health oversight agency,in special circumstances such as:
required by law emergencies abuse neglect domestic violence
Examples: Notifying police of a potential neglect or domestic violence situation Speaking to a patient’s friend who brought them into the emergency
room regarding details of an accident, when waiting to speak to the patient may delay treatment
17
HIPPA REQUIRES Designate a Privacy Officer Protect health information Post our Privacy Notice Create and maintain policies and procedures required to
comply with HIPAA Amend all policies and procedures as changes in the law
occur Track all intentional or unintentional PHI disclosures Train all employees on the Privacy Rule and its application Report and track any breaches of PHI
18
ScenarioA Stone Center nurse attempts to reach a
patient following his lithotripsy procedure. The spouse answers the phone. Can the nurse discuss the patient with the spouse?
19
Answer It depends…
Protected health information may only be disclosed to the patient but: A personal representative may be designated by the individual and
allowed to act on their behalf this would be documented in the patient’s medical record.
If a patient has an obvious caregiver, such as a spouse, discussion regarding follow up care and medications may occur. Example: If you ask “Are you the patient’s caregiver?” and the
response is ‘Yes, we’ve been married 57 years and my wife is sleeping after returning home from The Stone Center”, then it is reasonable to assume it is appropriate to discuss the patient’s follow up care with that person.
If Mabel from next door is just dropping off soup, and answers the phone, it’s NOT ok to discuss the patient with her.
20
Patient Rights HIPAA’s focus is on the Rights of the Patient and confidentiality of
their information. Under HIPAA, patients have the right to several key issues: Right to Request Amendment of their medical record Right to Request to Inspect and Copy their record Right to Restrict what information and to whom it can
be released Right to Receive Confidential Communication Right to Complain about a disclosure of their PHI
These are all listed on the HIPPA Form that is given to each patient that is treated at The Stone Center & also in TSC’s HIPAA Patient Rights Policy
21
HIPAA Security
The Stone Center is responsible to control the means by which health information remains confidential:
Administrative Requirements – Tracking & Policy documentation
Physical Safeguards – Door locks & fire protection Technical Security Services – virus detection
software Technical Security Mechanisms – passwords &
encryption, shredding
22
Password protection for users Timed screen lock-out Secured/locked access to building Locked bins, drawers and files where applicable Protecting the PHI in your workspace - Faxes, printouts, reports
not left laying around Proper shredding & disposal Encrypted email Visitor access to facility
HIPAA Security atThe Stone Center
23
A.5.B RIGHTS AND RESPONSIBILITIES OF PATIENTS - HIPAA Date: 3/04 PURPOSE: To establish written policies regarding the patient’s
rights to gain access to, and more control over the use and disclosure of his/her personal health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and to make these rights available to the patient.
RESPONSIBILITY: Staff PROCEDURE: The Stone Center is required by law to:
Make sure that health information that identifies you is kept private;
Give you a copy of the Notice of Privacy Practices which explains our legal duties and privacy practices with respect to health information about you; and
Follow the terms set forth in the the Notice of Privacy Practices.
In addition, you have the following rights regarding health information The Stone Center maintains about you: 1. You have the right to inspect and copy health information
that may be used to make decisions about your care. Usually, this includes health and billing records.
2. You have the right to request an amendment of your health
information if you feel that health information we have about you is incorrect or incomplete, for as long as we keep the information.
3. You have the right to request a list of accounting for
disclosures of your health information that we have made. Generally, such uses and disclosures pursuant to treatment, payment and health care operations are exempt from this right, in addition to any uses and disclosures pursuant to an authorization that is signed by you or your personal representative.
CHANGES TO HIPPA RULEOn January 25, 2013, the Department of Health and Human Services (HHS) posted Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the Final Rule) under the authority of the HITECH Act and the Genetic Information Nondiscrimination Act (GINA).The Enforcement Rule changes are effective on March 26, 2013. The additional 180 days afforded for most of the provisions in the Final Rule apply only to modified standards or implementation specifications.
24
25
Ask questions when you are unsure & report Disclosures immediately Contact the Privacy Officer Meg Oser
Become Familiar with all HIPAA Policies & Procedures
Within the scope of caring for patients it is not a violation of HIPAA to call the patient by his/her name. This is incidentally disclosed, However no other information should be called out (i.e. test results, demographic information)
Discussing patients by name in front of visitors is a violation of HIPAA.
HIPAA TIDBITS
26