HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation
Introduction The purpose of HIPAA training is to uphold the confidentiality of medical record information and protect the patient’s right to privacy in the collection and disclosure of patient information. HIPAA regulations require organizations, such as Ridgeview Institute, to provide HIPAA training to its workforce members.
What is HIPAA? Health Insurance Portability and Accountability Act (HIPAA) is a federal law to provide privacy standards to protect patient’s medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. These standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed.
Patient Rights Patients have the right: To receive a copy of Ridgeview Institutes Notice of Privacy Practices To request restrictions on disclosures of Protected Health Information To receive an accounting of disclosures To request an alternate means of communication, such as sending mail to a P.O. Box versus home address.
Right to Complain Patients have the right to complain if they feel their privacy rights have been violated. Refer patients with complaints about privacy violations to Ridgeview Institute’s Privacy Officer. Anita Thomas ext
Protecting Patient Confidentiality As a healthcare worker, you must do your best to keep patient information confidential, regardless of whether you know the patient. Discussing PHI with individuals not involved in the patient’s care is a violation of the patient’s rights! Each Ridgeview work force member is responsible for maintaining and protecting the privacy and confidentiality of patients, family members, visitors, and co-workers.
What is PHI? All protected health information (PHI) is subject to federal HIPAA regulation, which refers to any information that identifies a patient and relates to at least one of the following: 1.The individual's past, present, or future physical or mental health 2.The provision of health care to the individual 3.Past, present, or future payment for health care Information that can identify an individual includes either the individual's name or any other information that could enable someone to determine the individual's identity.
PHI & ePHI Definitions Protected Health Information (PHI) is all individually identifiable health information held or transmitted by Ridgeview in any form or media whether electronic, paper records, fax documents or oral communications. ePHI is all individually identifiable health information that Ridgeview creates, receives, maintains or transmits in electronic form. Types of Identifying Health Information Name Address All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89) Telephone numbers FAX number address Social Security number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Device identifiers or serial numbers Web URL IP address Finger or voice prints Photographic images Any other characteristic that could uniquely identify the individual
Physical Security These steps include: Locking Doors & Desks Storing Computer equipment safely and securely Making sure that those around you cannot easily view PHI or ePHI Controlled Facility Access (e.g., ID badge) Physical Security involves common sense steps to safeguard information from physical threats.
Physical Safeguards Additional required steps include: Never leave your PC unattended while you are logged in. Never share your log in password with anyone. It is a violation of Ridgeview Policy to share your password or log-in credentials. Keep your computer monitor positioned out of public view. Hold your conversations with patient/family in areas where PHI is not easily overheard. Ridgeview Institute takes measures to provide physical safeguards by limiting physical access to facilities where PHI is stored and requiring employees to wear authorized ID badges at all times while on campus.
Inappropriate access to PHI It is a blatant violation of patient privacy to view someone’s record for reasons outside of your role at Ridgeview Institute. Those authorized to view a patient’s record are allowed to do so only as needed to perform their job. This limited access includes restrictions to accessing Hard Copies (Paper Records) and Electronic Data Records.
HIPAA–Minimum Necessary Requirement HIPAA calls on health care workers to use the minimum amount of patient information they need to do their jobs efficiently and effectively. Ask yourself: –Do I need this information to do my job and provide good patient care? –What is the least amount of information I need to do my job? –What is the minimum amount I need to share with other to provide quality patient care?
Disclosure of PHI HIPAA requires an authorization signed by the patient or the patients’ legal guardian before any PHI may be communicated verbally or in writing to another party. Federal regulations require documentation of what information was released, the date released, and who released the information, be recorded in the medical record. This may be documented at the bottom of the authorization form.
Exceptions to Disclosure Medical Emergencies Reporting of Suspected Abuse (child or elder) Reporting of Communicable Diseases Court Order
Disposal of PHI HIPAA requires Protected Health Information (PHI) to be kept confidential even when it’s being thrown away. It is the responsibility of ALL Ridgeview work force members to dispose of anything with PHI in a locked trash bin designated for disposal of confidential information.
Misdirected Faxes with PHI Misdirected faxes are not uncommon in the daily operations of a healthcare facility. A Ridgeview employee who unintentionally sends a fax with PHI to the wrong party should report the incident to their supervisor or Ridgeview’s HIPAA Privacy Officer immediately at x2801 or In addition, all print jobs should be picked up IMMEDIATELY from the printer and should never be left unattended. Ridgeview’s HIPAA Privacy Officer
Health Information Technology for Economic and Clinical Health (HITECH) Act The HITECH Act (law) strengthens HIPAA enforcement. It includes provisions that call for increased monetary penalties for violation of HIPAA privacy and security regulations, new patient information breach notification requirements, and increased privacy rights for patients. HITECH established four tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical nature during a calendar year. Depending on the circumstances, federal or state law may permit civil or criminal litigation and/or restitution, fines, and/or penalties (including jail time) for actions violating HIPAA. Ridgeview Sanction Policy which could include termination of employment depending on the severity of the violation. A recent example in the news, a hospital in Massachusetts agreed to pay a $1 million dollar fine as a result of an incident involving the loss and disclosure of PHI of 192 patients.
Breach Notification (HITECH) If it is determined there is a violation, certain entities must be notified: Individual whose privacy has been violated Office of Civil Rights under the DHHS Media (over 500 individuals) Business Associates must report to the Covered Entity
Business Associates (BAs) HIPAA governs those who contract with Ridgeview Institute and use or have access to Protected Health Information (PHI). Penalties and sanctions are applied directly to BAs violating Privacy and Security regulations.
RVI Intranet: HIPAA Related SPPs 1.2Business Associates 1.6Confidentiality 7.1Personnel Security 7.2Workstation Use 7.3 , Internet, & Intranet Use Faxing Employee Healthcare Info. 15.2 Release of Information
HIPAA Related SPPs (continued) 15.3 Completion of Medical Record 15.4 Faxing Patient Information 15.5 Amendment to Protected Health Information 15.6 Right to Request Privacy Protection 15.7 Sanctions for Non-Compliance with HIPAA 15.8 Privacy Complaints 15.9 Notices of Privacy Practices of PHI