Presentation is loading. Please wait.

Presentation is loading. Please wait.

All Staff – April 2016 Karn Pederson, RHIT, Privacy Officer HIPAA - Privacy.

Similar presentations


Presentation on theme: "All Staff – April 2016 Karn Pederson, RHIT, Privacy Officer HIPAA - Privacy."— Presentation transcript:

1 All Staff – April 2016 Karn Pederson, RHIT, Privacy Officer HIPAA - Privacy

2 HIPAA….. Protects the privacy of individually identifiable patient information. Provides for electronic and physical security of health and patient medical information. Simplifies billing and other electronic transactions through the use of standard transactions and code sets (billing codes)

3 Who must follow the HIPAA Law? McKenzie County Healthcare employees McKenzie County Healthcare Physicians and mid-level practitioners Contracted employees (clinical, administrative, financial and operational support) Contracted physicians and mid-level practitioners Volunteers

4 A Business Associate is … A vendor or a third party that performs or helps perform any function or activity that involves the use or disclosure of protected health information, and/or creates, receives, maintains, or transmits protected health information on behalf of McKenzie County Healthcare Systems. (Examples: Legal services, financial services, consulting services, transcription services, coding services, paper destruction companies, etc.) If you are unsure whether a BAA is needed, please contact the Privacy Officer

5 What Patient Information Must We Protect? Protected Health Information (PHI)  Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.  Is transmitted or maintained in any form (electronic, paper, or oral representation).  Identifies, or can be used to identify the individual (demographics)

6 PHI Includes Patient Identifiers Some examples include: i. Name ii. Address (street, city, and zip code) iii. Any date (birth, admit and/or discharge date) iv. Any phone number (home, work, mobile or fax) v. Email addresses vi. Social Security Number vii. Medical Record or Episode Number viii. Health plan numbers ix. Any other unique identifying number, characteristic or code.

7 McKenzie County Healthcare Systems’ May not use or disclose an individual’s protected health information, except as otherwise permitted or required by law. But….. MCHS May Use and Share a Patient’s PHI for  Treatment of the patient  Payment of health care bills  Business and management operations  Disclosures required by law  Public Health and other governmental reporting.

8 McKenzie County Healthcare Systems’ Must use or disclose only the minimum amount of PHI necessary, except for requests made –  Disclosure to or requests by a health care provider for treatment purposes.  Disclosure to the individual who is subject of the information.  Disclosures to the Secretary of the Department of Health & Human Services (DHHS) when the disclosure of information is required under the Privacy Rule for enforcement.  Uses or disclosures required for compliance with HIPAA Administrative Simplification Rules.  Uses or disclosures that are required by law.

9 When can I use PHI? Only in the course of performing your job duties! Always protect a patient’s information. i. Look at a patient’s PHI only if you need it for the performance of your job. ii. Use a patient’s PHI only if you need it to for the performance of your job. iii. Give a patient’s PHI to others only when it’s necessary for the performance of their job. iv. Talk to others about a patient’s PHI only if it is necessary for the performance of their your job. Consider your surroundings when discussing a patient’s PHI.

10 Uses and Disclosures of PHI for Fundraising The following information may be used to support efforts to raise funds that directly benefit the medical practice without the patient’s authorization:  Demographic information describing the individual.  Dates on which the patient received healthcare services from MCHS.  Treating physician.  Information about patient outcome.  Health insurance status.

11 Uses and Disclosures of PHI for Fundraising (cont.) Fundraising appeals sent to individuals must include the following paragraph describing how the individual may opt out of further fundraising communications: “To be removed from future fundraising appeals, please call 701-842-**** and ask to be removed from our fundraising mailing list on the reply card and return it to the office by dropping in a mailbox.”

12 Notice of Privacy Practice MCHS is required to provide a notice of privacy practices to all patients or any persons requesting a copy which describes:  How MCHS may use and disclose your protected health information  Individual’s rights to their protected health information  MCHS responsibilities with respect to the patient’s protected health information.

13 Notice of Privacy Practice (cont.) The patient or their representative is to be asked to initial off for acknowledgment of receipt of the Notice of Privacy Practice on their first visit to either the hospital or clinic.  MCHS implemented a second Notice of Privacy Practice that was effective June 1, 2014. If the patient was seen prior to June 1, 2014 and now presents after this date, the new Notice of Privacy Practice should be given to them and they will need to acknowledge receipt and the date changed in the computer.

14 Breach of Confidentiality… Breaches of MCHS policies and procedures or a patient’s confidentiality must be reported to MCHS Privacy Officer at 701-842-7125. Examples of breaches – i. Accessing a co-workers electronic health records and they were not involved in the patient’s care. ii. Explanation of Benefits sent to wrong guarantor. iii. Taking cell phone picture of patient involved in a MVA and sending to a friend iv. Medical records left in hospital lobby. v. Misdirected fax of PHI to the local grocery store instead of to the requesting provider’s fax.

15 Penalties… $100 for each violation if did not know, with a total not to exceed of $25,000 for all identical violations within one year. $1,000 for each violation due to reasonable cause, not willful neglect, with a total not to exceed of $100,000 for all identical violations within one year. $10,000 for each violation due to willful neglect, but was corrected, with a total not to exceed $250,000 for all identical violation within one year. $50,000 for each violation due to willful neglect, but was NOT corrected, with a total not to exceed $1,500,000 for all identical violations within one year.

16 Faxing Faxing of PHI is permitted. Always include MCHS fax cover sheet which contains a Confidentiality Statement. Information that should not be faxed except in an emergency are: i. Sexually-transmitted disease (STD) information ii. HIV status. iii. Mental illness or psychological information iv. Drug and alcohol dependency

17 Frequently Asked Questions May I access my own medical record? NO. It is the policy of MCHS that if you need information from your electronic or paper health record, you follow the release of information practices by contacting the HIM department at the hospital or the front desk at the clinic. May I access my minor child’s medical record? NO. It is the policy of MCHS that if you need information from the electronic or paper health record, you follow the release of information practices by contacting the HIM department at the hospital or the front desk at the clinic.

18 FAQs – Facility Directory May a hospital provide information, including a patient’s room number, to a patient’s family or friends or to the clergy? YES, the Privacy Rule allows hospitals to disclose patients’ names and other directory information to anyone asking for the patient by name. Patients do not need to signed up to be included in the directory, but must be allowed to “opt-out” and choose not to be listed.

19 FAQs – Leave messages with family or on answering machines Can messages be left with family or on an answering machine? YES. The Privacy Rules allow the healthcare employee to communicate with patients, including communications to the patient's home. When making these types of communications, however, the healthcare worker should take precautions to safeguard the patient's privacy. For example, when leaving a message on the patient's answering machine, the healthcare worker should limit the amount of information left in the message to just the information necessary to confirm the appointment time or to request that the patient call the physician's office.

20 FAQs – Leaving messages with family or on answering machine (cont.) The Privacy Rules also permit a healthcare worker to leave a message directly with the patient's family member or companion. Physicians are allowed to disclose information about the patient's care to the patient's family members and friends, even if the patient is not present or has not affirmatively given the physician permission to do so, so long as the physician believes, in his/her professional judgment, that the disclosure is in the patient's best interest. However, if the patient has expressly directed that there be no disclosure to specific family members or friends, the patient's wishes must be respected.

21 FAQs – Releasing PHI without an authorization May I release PHI to another clinic who has requested PHI of an individual they are providing care to without a signed authorization? YES. HIPAA was not meant to impede patient care. You should verify they are in fact who they say they are and have a right to the information. You can do this by asking for the patient’s date of birth, when did we see the patient, etc. If for any reason you do not believe they have a right to this information, you can request a signed authorization from the patient.

22 FAQs – Privacy in semi-private room? Do I need to take reasonable steps in protecting the patient/resident’s privacy when in a semi-private room? YES. You can use the TV to muffle conversations, pull the privacy curtain and keep voices low. The most important is to ask visitors to leave the room. A high school student wants to job-shadow in radiology. Is this allowed under HIPAA? YES. But before they start, Human Resources needs to be contacted so the proper paperwork is completed.

23 FAQs – Taking picture of patient/resident Do I need consent to publish a patient/resident’s picture in an internal newsletter? YES. Too often internal newsletters do not stay internal. We have a consent form that can be signed by the patient/resident or their representative prior to taking any photographs.

24 Thank you, from …. The Privacy Committee: Karn, Dan, Michael, Ashlee, Paula, Amy, Zach and Sam. H and In – hand Protecting All Accounts!


Download ppt "All Staff – April 2016 Karn Pederson, RHIT, Privacy Officer HIPAA - Privacy."

Similar presentations


Ads by Google