NCPD#1/jab Health Insurance Portability & Accountability Act

What I will learn from this program  What is HIPAA  Who is covered by HIPAA  Goals of HIPPA  Definitions  What is “Protected Health Information (PHI)”, “Use”, and “Disclosure”  What are “Security Rules”  How does this affect you  Why comply

What is HIPAA  HIPAA – Health Insurance Portability and Accountability Act of 1996  Original Intent was to ensure portability of Insurance when employment changes..  Administrative Simplification  Standardization of formats, codes and identifiers  Increased security of electronic health data  Increased protection of protected health information  Simplify health care administration

Who is covered by HIPAA  Covered entities include  Health care providers  Health plans  Health care clearinghouses

Goals of HIPAA  For Patients  Control over their information  The right to see their records and correct any mistakes in them.  The right to know who has seen their information

Goals of HIPAA  For Institutions  Protect patient information  Limit use of patient information  Penalize those who misuse information

Definitions  Protected Health Information = Individually identifiable health information in any form or media. Only authorized people will look at or use it for treatment, payment or health care operations (TPO)  Privacy = Right of each person to keep certain personal information to him or herself, confident that only authorized people will look at or use it.

More Definitions  Security = Protection of information, data and systems from accidental or intentional access by unauthorized users.  TPO = Treatment, Payment and Operations  Minimum Necessary = Minimum amount of information you “need to know” to do your job.

What is Protected Health Information  Information that identifies a person  A person who is living or deceased  Past, present or future health information  Electronic or paper form, or spoken in conversation Examples: Patient charts, lab reports, x- rays, billing systems, nursing notes, phone calls, and conversations about patients

What Makes Information Identifiable  Name  Address  Phone or fax number  address  Social Security or medical record numbers  Photos  Names of relatives  Voice, finger, retinal prints  Date of Birth  Employer  Insurance account numbers

Who can access this information  The privacy rules of HIPAA limit both the “Use” (how the information is used in the institution), and “Disclosure” (how the information is given out to other institutions for use).  Patients typically give permission for use or disclosure of their information by signing a written form. Some disclosures are required by law, such as reporting of gunshot wounds, child abuse, infectious diseases and do not require patient permission

Internal Use  Routine access will be limited by job functions  “Need to know”, or minimum necessary needed for each task  Example EKG: EKG technicians only need the information relating to the EKG, would not need to see patient progress notes or insurance information  Non-routine access will be limited by policies and procedures of each institution

Disclosure  Providing information to those outside of the institution  Types  Mandatory: dog bites, gunshot wounds  Incidental: I accidentally faxed your records to the wrong department  Malicious: I steal a list of consumer names and addresses to sell as a mailing list. Reasonable efforts should be made to give out only the least amount of information needed to meet the request  Example: Transportation Service: a service that drives patients to and from appointments would only need certain information such as patient name, appointment details time/address, contact phone number, should not have details on other protected health information. GHC User: You may want to use this slide to show there are different types of disclosure: Mandatory: ie: dog bites, gunshot wounds etc Incidental: I accidentally faxed your records to the wrong department. Malishes ?spelling?: When I steal a list of consumer names and addresses to sell as a mailing list. All of these must be accounted for. GHC User: You may want to use this slide to show there are different types of disclosure: Mandatory: ie: dog bites, gunshot wounds etc Incidental: I accidentally faxed your records to the wrong department. Malishes ?spelling?: When I steal a list of consumer names and addresses to sell as a mailing list. All of these must be accounted for.

Security Rules  Protect the systems that store protected Health information – The hardware and software  Systems must be protected so that unauthorized people cannot get to the information. Ex: Computer systems will require you to change your password every so often to protect against someone else gaining access to the system using your password.

Security Rules (Continued)  Protect Information itself from unauthorized use and misuse by those allowed to view the PHI  Ex: a famous person, co-worker, or family member is a patient, can you check to see how he or she is doing? No! If you are not involved in the patient’s care you cannot view the information.

Summary of Privacy and Security Rules  Patients have the right to control their information  Institutions will limit the use and disclosure of information  Institutions will protect information on the computer

So What’s New About This Law  Sounds like what we have been doing all along, Privacy has always been a priority.  Now the government has decided what the basic requirements are for protection of patient information and Institutions are being held accountable  Patients can be more confident that their information will be kept private

Privacy…. Why?  A Tampa Florida man stole a list of 4,000 HIV-positive patients from a state health worker and sent the list to the Tampa Tribune, which did not publish it. The man was found guilty and sentenced to jail  New York congressional candidate's past suicide attempt was made public during a campaign. She won the election and sued the hospital for failing to maintain the confidentiality of her medical records  An employee of a large Blue Cross/Blue Shield plan obtained unauthorized access to the medical records of the ex-wife of a friend and sent them to his friend.

How Does HIPAA Affect You  Faculty and Students are held to the same obligations and accountability as employees, they are seen as part of the workforce under affiliation agreements  Whether you work directly with patients or not, you may find yourself in situations involving patient information. What do you do?

Protecting Spoken Information What do you do?  You’ve just made it through a long line in the cafeteria and scored an empty table. As you settle in to enjoy your lunch, you can hear 2 co- workers discussing a patient

Response  Remind them that confidentiality is important, public areas may be convenient but when it comes to PHI they are not good choices.  Find a private space if your job requires you to talk about patient information. Do Not Discuss Patient Information in Public Areas!

What do you do?  One day you walk by a room and see someone you know. She is not looking well and she seems to be by herself. You want to express your concern and see if you can help.

Response  Respecting privacy doesn’t mean you have to ignore someone you know. But don’t ask for Personal Health Information  She can tell you about her illness, but you can’t ask, and if told you cannot repeat the information you hear.  Unless you are involved in the patients care you do not have the right to ask for information or even tell others people who the patients are. Don’t Ask For Information Even If You Know The Person!

What do you do?  Lets say you entered a patient’s room to explain a procedure. The patient has several visitors in the room who may or may not be family.

Response  Before entering the patient’s room, you should first knock and ask permission to enter.  If other people are in the room ask permission from the patient to talk about his or her care with visitors present. Ask Permission From Patient

What do you do?  You are walking down the hall and are stopped by a visitor to get directions

Response  If you can give a visitor directions without asking for personal health information you are being courteous and respectful of patient privacy  If it is not clear where the visitor is supposed to go or if asked about a patients condition direct them to the information desk. Be Courteous and Direct Visitors to the Information Desk

Protecting Spoken Information  Around Patient Rooms  Knock first and ask to enter  Close doors or curtains when talking about treatments or doing procedures  Speak softly in semi-private rooms  In Public Areas  Don’t talk about patients  Direct Visitors to the information desk  Don’t leave messages on answering machines about patient conditions

Protecting Written Information What do you do?  Suppose you enter a conference room and find papers with patient information left on the table

Response  Papers that have Protected Health Information should be returned to the person who left them. If you can’t find the owner of the papers, give them to your supervisor for shredding. Find The Owner Of Lost Papers Or Give Them to Your Supervisor

What do you do?  Suppose you work in an area where several people share a fax machine in a lounge. While you are in the lounge a fax including PHI arrives but no one comes to get it. Later that afternoon you notice the fax is still there.

Response  Tell your supervisor about the fax  If you are someone who shares a fax or printer, it is your duty to pick up papers right away.  Fax machines and printers are best located in a private area, away from public view. Don’t Leave Papers With Medical Information Unattended

Protecting Written Information  Find the owner of “lost” papers  Shred Information no longer needed  Don’t leave papers unattended  Keep information away from public view

Protecting Electronic Information  Keep computer screens pointed away from public  Never leave patient information in public areas unattended  Log-off workstations when leaving the area You Are Responsible For Any Activity On The Computer That Is Made With Your User Name

Protecting Electronic Information  Protect Your Password  Don’t share it with anyone  Never write it down  Don’t say it out loud  Don’t it  Report any misuse or problems with your password

Protecting Electronic Information  Handhelds and Laptops  Prevent loss or theft of equipment-never leave this equipment unattended  Use Passwords to protect information  Close programs when not in use

Why Should We Comply  It is the right thing to do.  Patients have rights to privacy  It improves the quality of care  It is good business  Disciplinary Action  Can range from counseling to final written warning to termination  Repeated offenses can result in more severe discipline  Penalties  Civil and Criminal Penalties  Against both the individual and the institution

Consequences for Noncompliance Violations Wrongful disclosures Gaining access by false pretenses Intent to sell, transfer or use Penalties Up to $50,000 + up to 1 year in prison Up to $50,000 + up to 1 year in prison Up to $100,000 + up to 5 years in prison Up to $250,000 + up to 10 years in prison

Enforcement of HIPAA  The Office for Civil Rights has been charged with enforcing HIPAA privacy regulation

Questions About Privacy  In some situations it is not clear whether privacy rules apply or what the best way to handle the situation  HIPAA was never meant to interfere with patient care  If questions come up or you don’t know what to do ask your supervisor When in Doubt Ask!

A Parting Thought If your loved one was a patient wouldn’t you want your family’s privacy to be protected by the people caring for him or her ?

Resources  Federal Register August 14 th, 2002 Notice s.cfm s.cfm s.cfm  Federal Register February 20th, 2003 Notice s.cfm s.cfm s.cfm  HHS Office of Civil Rights – HIPAA Page