The Medical College of Georgia HIPAA Privacy Rule Orientation

WHAT IS HIPAA? HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of HIPAA includes regulations that govern the use and release of a patient's personal health information. HIPAA also limits the kind of information MCG can disclose regarding patients. Besides privacy standards, HIPAA creates new standards for administrative transactions and the electronic security of individual health information.

WHY HIPAA? Patient concern about use or disclosure of personal health information without their knowledge Media coverage for high profile breaches Electronic transmission of information Secondary uses of information, e.g., employment decisions, marketing, etc Patient demand to control how personal health information is used or disclosed

WHO MUST COMPLY WITH HIPAA? All MCG workforce members (employees, faculty and students) who transmit protected health information in electronic form in connection with certain administrative and financial transactions are subject to the requirements of the rule.

WHAT INFORMATION IS PROTECTED UNDER HIPAA? All medical records and other patient/ individually identifiable health information maintained by MCG in any form – verbal, paper, and electronic and may be found in: Medical Records, clinical research records Computer Systems/Electronic Records Photographs, Videos, Audiotapes PDAs, iPODs, Digital Cameras, thumb drives, etc.

WHAT IS OUR COMMITMENT TO PRIVACY? MCG believes that patients have the right to have their medical information kept private, and the right to review their medical records and understand how their medical information will be used. We balance protecting patient information with ensuring our workforce has the information needed to properly care for patients, instruct students, and conduct research. We provide annual HIPAA training and education about the HIPAA rule to all of our employees, residents, and students.

New Employee HIPAA Training At the beginning of the second month of employment, all employees with campus accounts will receive instructions for complying with the MCG 30-day deadline for HIPAA training. At the beginning of the second month of employment, all employees with campus accounts will receive instructions for complying with the MCG 30-day deadline for HIPAA training. Employees without computer access will be issued HIPAA training in paper format from their supervisors. Employees without computer access will be issued HIPAA training in paper format from their supervisors.

NOTICE OF PRIVACY PRACTICES The law requires health care providers to give patients a notice detailing their privacy rights, how their health information will be used and disclosed, and explain who will have access to their medical records—from faculty, office workers, researchers and students to compliance officers or public health officials.

HIPAA PROVIDES NEW PATIENT PRIVACY RIGHTS   Right to Receive Notice of Privacy Practices   Right to Request Restrictions on Uses & Disclosures of Protected Health Information (PHI)   Right to Receive Confidential Communications

NEW PRIVACY RIGHTS - Continued   Right to Access, Inspect, and Copy PHI   Right to Request Amendment of PHI   Right to Request Accounting of Disclosures of PHI

DISCLOSING PATIENT INFORMATION Unless a patient objects, the following information may be placed in the MCG Health System’s hospital directory: Patient’s Name Patient’s Location in the Facility Patient’s Condition (general information only) Patient’s Religious Affiliation (for clergy use only)

SHARING INFORMATION FOR INTERNAL PURPOSES: Our MCG Health System is allowed to share information for the following purposes: Treatment Payment Healthcare Operations: teaching, clinical research (with prior approval by the Human Assurance Committee), accreditation, compliance, etc.

SHARING INFORMATION AS REQUIRED BY LAW Public Health Requirements Health Oversight Activities Judicial & Admini- strative Proceedings Organ Donation Public Safety Government Proceedings Workers Compensation

CHANGING OR AMENDING PATIENT HEALTH RECORDS If a patient believes that the information in their health record is incomplete or inaccurate, the patient may request an amendment by: Contacting the person who made the entry and pointing out the inaccuracy; or by Contacting the privacy officer or health information management department and pointing out the inaccuracy.

ACCESSING PATIENT HEALTH RECORDS Reasons to Access Patient Records To provide past medical information to new healthcare providers who are caring for the patient To ensure the accuracy of the information contained in the records To verify charges for care

HOW CAN PATIENTS PROTECT THEIR MEDICAL PRIVACY? Read the MCGHI Notice of Privacy Practices Talk about confidentiality concerns with healthcare providers Read authorization forms before signing them Be cautious with health web sites, other health screening questionnaires, etc. - know how the information may be used or disclosed

MCG Privacy and Security Policies Privacy of Health Information Privacy of Health Information Information Systems Security and Computer Usage Information Systems Security and Computer Usage

RESOURCES MCG HIPAA Privacy Officer MCG HIPAA Privacy Officer (706) (706) MCG Security Officer MCG Security Officer (706) (706) Department of Health & Human Services Department of Health & Human Services Office of Civil Rights Office of Civil Rights