NAU HIPAA Awareness Training Welcome! Hello, my name is ________________________ and I will be talking to you today about protecting patient’s privacy--how it is everyone’s responsibility. Today more than ever patients and consumers are both concerned and aware that their private information can be used or releases without their knowledge. Recently there was new federal law that protects a patient’s private medical information and also gives patients new rights in managing their health information. In this sessions, we will talk about patient concerns, the new patient rights, and your responsibilities in Protecting patient privacy. (Information Only: References to complete this presentation include: HIPAA 101 and 102: Allen Hospital System Health Information Management, An Applied Technology. AHIMA, Merida Johns www.healthprivacy.org and www.medicalert.org Oregon Dept. of Human Services NAU HIPAA Awareness Training
Health Insurance Portability and Accountability Act of 1996 What is HIPAA? A federal law dealing with the privacy and security of health information HIPAA stands for Health Insurance Portability and Accountability Act of 1996 A Gallup survey commissioned by MedicAlert in November 2000 on just how important and concerned patients are about their privacy showed: 77% of Americans feel that privacy about their personal health information is important; 84% said they were very/somewhat concerned that personal health information might be made available to others without their consent; Only 7% said they are willing to store or transmit personal health information on the Internet and 8% felt a website could be trusted with such information IF PATIENTS ARE CONCERNED THAT THEIR HEALTHCARE INFORMATION ISN’T KEPT CONFIDENTIAL, QUALITY OF CARE IS COMPROMISED. CONDITIONS MAY BE LEFT UNTREATED AND THE PATIENTS MEDICAL RECORD IS INCOMPLETE OR INACCURATE HIPAA IS THE REGULATION THAT PROMOTES PRIVACY AND SECURITY
How HIPAA applies to Health Care Systems: HIPAA applies to all management, employees, volunteers, temporary employees, students, residents, and trainees—the workforce—employed in health care systems NAU is committed to provide students seeking careers in health occupations with HIPAA awareness training Complying with HIPAA is MANDATORY! Federal Privacy Regulations (April 2001) This new federal regulation establishes standards for most health care providers and payers in the protection of health information as well as established new patient rights related to the accessing their health information. Although HIPAA was officially passed by Congress in 1996, the privacy rules became effective in April 2001 and healthcare providers implemented these new rules in April 2003. Since April 2001, healthcare providers have been busy reviewing the HIPAA regulations, assessing and writing privacy and security standards in their facilities, and training employees on the regulations. Today, we will provide you with an overview of the HIPAA regulations that relate to privacy and security issues. We want to be clear up front that we are not going to be training you line for line on the new HIPAA regulations. We also won’t be specifically telling you how an office/clinic/hospital will be implementing the new law. Each facility will handle HIPAA differently. What you are going to be receiving today is a foundation to familiarize yourself with HIPAA.
How HIPAA applies to Health Care Systems cont’d: There are fines and even criminal penalties if we do not take reasonable steps to comply. Every member of an organization has a role to play—even students! It is important to know that penalties for failing to meet the requirements of the privacy regulations or inappropriately disclosing or receiving confidential health information. Penalties can be either criminal or civil. An example of criminal would be the use of a person’s health information for malicious harm. An example of a civil case would be an inadvertent disposal of a PC with patient information stored on the hard drive. Monetary penalties can range from $100 to $100,00 depending on the severity of the violation. Penalty can also include imprisonment up to 10 years depending on the severity of the incident. Penalties will be more severe when information is obtained under false pretences or information is obtained with the intent to sell or transfer, use for commercial gain, use for personal gain, or use for malicious harm. Both the institution and individuals can be held liable for breaches in privacy--the penalties do not just apply to the organization.
What is Privacy? Privacy refers to your duty to prevent others from seeing or using protected health information (PHI) about patients. Under HIPAA, a facility can only use and disclose PHI for certain permitted purposes. You SHOULD NOT see or obtain PHI unless you need it do your job. You SHOULD NOT disclose PHI to others unless that is part of your job. PHI Means protected health information under HIPAA. It is an important HIPAA term. Privacy is a concern to patients and breaches of patient privacy has outcomes. There have been cases when persons have lost jobs when bosses learn that employees sought treatment for drinking problems. In North Carolina, a woman was fired from her job after being diagnosed with a genetic disorder that required expensive treatment. Three weeks prior she had received an positive evaluation and a raise. A drug store made prescription records available to a marketing firm that sells pharmaceuticals. Thousands of patient records have been found in unlocked dumpsters and on the Web. Optional dialogue 90% trusted their doctors to keep their information private and secure 66% said they would trust a hospital 42% said they would trust an insurance company 35% said they would trust a managed care company
How Privacy Works Patients rely on their healthcare providers to keep their information private Because health care systems promise patient privacy, patients are willing to provide the personal details of their health to provide to help them diagnosis and treat them If patients are not willing to provide information because of privacy concerns, care is compromised.
What is Protected Health Information? Any information about past, present or future physical or mental health healthcare or payment for healthcare that identifies a patient. Example: name, address, date of birth, date of death, date of admission, date of discharge, telephone number, email address, social security number, health record number, account number, and facial photographs.
What forms of records are covered? All protected health information (PHI) about patients: Written Video Electronic Oral In HIPAA privacy provisions, any individually identifiable information that is transmitted by electronic media, maintained in either paper or electronic form, or is transmitted or maintained in any other form is considered PHI. If you think about this, any information that can identify a patient can cause a possible breach of HIPAA violations.
What is Security? Security refers to our duty to keep health information secure and available Facility privacy practices prohibit member of the workforce from obtaining PHI unless they need it to do their job Security safeguards limit access to PHI Privacy and security go hand-in-hand In other words, Privacy determines who gets what information and when do they get it. Security will state who has access to information.
How HIPAA affects a health care facility HIPAA regulates how health care providers use and disclose protected health information Health care providers are committed to complying with HIPAA regulations Health care providers have developed compliance plans
What is a compliance plan? Policy explaining privacy rules Identifies risks, adopts safeguards to protect PHI Classifies all members of the workforce Trains all members of the workforce Establishes Privacy officer Person identifies in a facility as the contact with any questions, concerns, or complaints Compliance Plans assist in the developing of internal controls that promote adherence to applicable federal and state guidelines. Facilities must be able to prove they are in compliance with regulations. Requiring employees to HIPAA orientation training is one example of maintaining compliance.
What is a compliance plan contd. Mandatory Reporting If you have first-hand knowledge of a breach of privacy policies or improper use or disclosure of protected health information you report to your supervisor and/or the Compliance (Privacy) Officer. Patients are given information on admission on how to report privacy rights violations to the identified Compliance (Privacy) officer within the organization Patients can also file a complaint with the Secretary of the Department of Health and Human Services Persons reporting to Compliance officers are protected from retaliation All health care facilities that are covered under HIPAA are expected to develop a compliance plan for reporting of violations. Guidelines generally identify a reporting hierarchy within an organization for employees and patients. A feature of the compliance plan is PERMISSIVE reporting. All health care facilities need to know if our compliance efforts are effective. By addressing concerns a facility can determine how its compliance plan is working. Compliance plans do provide protection for reporting and compliance activities. Policies will include protection from retaliation because you file a mandatory or permissive report or participate in good faith in compliance activities, such as a government investigation. Most compliance plans require discipline if you do not comply with mandatory reporting and if you are responsible for a security breach. All facilities must have a written procedure in place that allows individuals to file a complaint concerning its privacy and information security policy and procedures.
Notice of Privacy Practice Notice of Privacy Practices HIPAA privacy standard that requires an individual's right to receive a notice that outlines how medical information is used and disclosed by an organization How to access and obtain copy of their medical records A summary of patient rights under HIPAA How to file a complaint and contact information By this time, many of you may have received a Notice of Privacy Practice from a covered entity. This may have been at the physician’s office, a hospital, rehab center, or even the dentist. The Notice if very important because it tells the individual of his/her rights with PHI and states how the record may be used in a HC facility. (Such as fundraising/research and for treatment, payment, and operation) Usually the Notice of Privacy Practice is given at the first point of contact: admissions and/or reception desk. It is also posted in a prominent place in the facility. Usually, the notice is given once. Health care facilities will make every effort to obtain a person’s written acknowledgement that the notice was rec’d.
Disclosure of Protected Health Information Authority—Patient Every use and disclosure of protected health information must be authorized by the patient or by State or federal laws Examples: Patients can authorize release of information to a third party State laws require reporting of child abuse We cannot assume every use or disclosure is okay Facilities have developed policies and assigned procedures to dealt with this
Sharing of PHI You may share protected health information ONLY if you need it to do your job Nurse to nurse communication related to assigned clients Health staff to physician in charge of patient care Allied health professional (respiratory, therapists, etc) to those in charge of patient care Chart reviewers for in-house projects NEVER access patient information that is not needed in the performance of your job
Incidental Disclosures are a reality An unintended or unavoidable disclosure of protected health information that occurs as part of a permitted disclosure Example: Quality review committee forgets to delete patient name from quarterly hospital infection report Nurse speaking to patient on phone is heard by another person walking by the nurses station Two patients in the same room Must make reasonable safeguards to protect privacy Incidental disclosures are permitted under HIPAA. Some disclosure is unavoidable such as being heard when someone is walking by the nurses station. However, HIPAA does require a facility to make reasonable safeguards. For example, in a room occupied by two patients, the curtain should be drawn and voices lowered to protect the confidentiality of the patient. If the patient has visitors, always ask the patient’s permission regarding visitor’s hearing the information prior to discussing his/her medical condition.
Safeguards for PHI All covered entities must have in place reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability to prevent unauthorized or inappropriate access, use or disclosure of PHI It’s the law!
Doing your part Only access confidential information (PHI) if you have a need to know to do your job Take reasonable steps to verify the identify of persons to whom you disclose PHI (if someone asks for PHI and you don’t know if they have a right to information, you can ask for identification) Use or disclose PHI only in the performance of one’s responsibilities and duties (you cannot access patient information that is not a component of assigned work duty) Understand the law and the organization’s policy Attend training and education programs Treat patient information the way you would want your personal information treated Also, when working on the floor, don’t leave patient records unattended. At the nurse’s station, close patient records if you need to leave the area. OPTIONAL SECTION (May not pertain to all students) At NAU, some courses require the use of medical records. These records are de-identified. Deidentification is the process of eliminating all data that could identify the patient. This can include information such as name, birthdate, address, phone number, next of kin, religion, race, SSN, and employer.
Use Technology Wisely ONLY access patient information if you have a need to know it to do your job Protect your password--never share it with anyone Log off the computer when you leave the area Make sure computer screens are not visible to the public Take steps to ensure the privacy of faxed PHI Audit trails-facilities can monitor where you have been and what you have looked at! Technology will play a role in the work setting. Use precautions and protect access to electronically stored PHI. Many facilities can perform random audit trails to an employee’s log in history and what they may have accessed. Protect yourself by only accessing what you need to know.
Protect Confidential Information Providing patients with quality healthcare includes protecting their information Everyone is required to do their part! Oct 2011 Rev