HIPAA - What RNs Need to Know From National Nurse Presented by Kip Klingman

HIPAA Regulations “HIPAA regulations were instituted to protect the privacy of individuals by safeguarding individually identifiable healthcare records, including those housed in electronic media.” Establishes limits for release of information Provides individuals with more control Requires providers and agents to safeguard privacy Holds regulation violators accountable

Patient Rights Right to privacy/confidentiality Right to access to medical records Right to amend medical record Right to accounting of disclosures

Enforcement: Criminal Penalties Individuals, who “knowingly” obtain or disclose individually identifiable health information can face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm can receive fines of $250,000, and imprisonment for up to 10 years.

Enforcement HIPAA ViolationMinimum PenaltyMaximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by state attorneys general regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

Violations in the News September 2007: A hospital in New Jersey suspended 27 staff members for one month without pay for looking at George Clooney’s medical records involving a motorcycle accident. February 2009: A hospital in Wisconsin was referred to the FBI for pictures taken by a nurse in the emergency room and posted to her Facebook page. The photos were that of a man with a sex toy lodged inside his rectum.

Violations Cont. July 2009: A hospital in Arkansas fired two employees in the ER for looking at a patient’s record without necessity. Furthermore, the administrator looked at the same record and was suspended for 2 weeks and required to review a HIPAA training module. All 3 employees pleaded guilty to a misdemeanor charge and faced 1-year in jail and up to $50,000 fine.

Duty and Responsibility Electronic health records, computerized physician order entry systems, and health information technology should be utilized to enhance the provision of safe, therapeutic, and effective nursing care in the exclusive interests of the patient. Information and data collection, storage, retrieval, and transmission technologies must not interfere with the establishment of the RN-patient relationship or override the ability of the RN to document the nursing process, including physical exam and assessment, care planning, implementation, response to treatment interventions and evaluation of care, and documentation of advocacy activities and consultation with other treatment team personnel.

Avoiding Breaches in Confidentiality "Electronic records make it easier to snoop or engage in chart browsing, which creates some concerns since hospital mergers have made it more likely that employees will receive medical care from their own institution. The most likely targets are certain patients, hospital employees, celebrities, and patients with a sensitive diagnosis.“ No disclosures of health information or genetic information without informed consent of patient and affected parties. Under no circumstances can health information be used for hiring, firing, promotion or to deny affordable health insurance or in any other way infringe on one’s civil rights.

Avoiding Breaches Cont. Individuals or entities who legally receive health information must be required to safeguard the information or be subjected to legal or disciplinary sanctions. There will be no sanctions against registered nurses or other healthcare workers for disclosing health information or records to authorized public officials for the purpose of patient advocacy and protecting the public interest. Encourage the use of technical security safeguards like audit trails, security codes, scrambling devices, passwords, or electronic blocks.

Questions and Answers Q: Can healthcare workers speak freely when they may be overheard by others? A: Yes, HIPAA recognizes that a nurse needs to have the ability to communicate in treatment settings. – Healthcare staff may orally coordinate services at hospital nursing stations. – Nurses or other healthcare professionals may discuss a patient's condition over the phone with the patient, a provider, or a family member.

Questions and Answers Cont. Q: May mental health practitioners or other specialists provide therapy to patients in a group setting where other patients and family members are present? A: Yes. Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual's authorization. Q: May physicians' offices use patient sign-in sheets or call out the names of their patients in their waiting rooms? A: Yes. Covered entities, such as physicians' offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited.

Conclusion When it comes to information, whether high tech or low tech, taking appropriate security measures to protect patient privacy and confidentiality remains a priority. Nurses must rigorously follow all HIPAA guidelines outlined by their employers and take every reasonable action to prevent unauthorized people from viewing or having access to protected patient health data. The end.

References HIPAA -- the health insurance portability and accountability act: what RNs need to know about privacy rules and protected electronic health information. (2011). National Nurse, 107(6), McEwen, D., & Dumpel, H. (2011). HIPAA -- the health insurance portability and accountability act: what RNs need to know about privacy rules and protected health information. National Nurse, 107(7),