Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidentiality & Security of Protected Health Information

Published byRichard Copeland Modified over 7 years ago

Similar presentations

Presentation on theme: "Confidentiality & Security of Protected Health Information"— Presentation transcript:

1 Confidentiality & Security of Protected Health Information

2 Confidentiality v. Privacy
use of discretion - secret - only released to a person who is authorized to receive/review it. Privacy - the right of the individual to control access to that information

3 Privileged Communication
Privileged Communication Patient-Doctor Relationship Information between patient and physician cannot be disclosed to other parties without authorization

4 CONFIDENTIALITY Physical Environment
Do not talk about patients in a public places (elevators, cafeteria, hallway, bathroom) When transporting charts: Make sure there is no identifying information showing Turn charts upside down in cart Do not leave charts unattended when delivering to units. Physical Environment Healthcare Employees

5 CONFIDENTIALITY Physical Environment
Do not have computer screens facing the public, log off PC's On the units and in medical records department: Do not leave documentation/charts accessible to the public Physical Environment Healthcare Employees

6 CONFIDENTIALITY Physical Environment Printers
Limit access to medical records department and file room Make areas as private as possible Physical Environment Healthcare Employees

7 CONFIDENTIALITY Healthcare Employees
Staff are educated on patient privacy Confidentiality Agreement All employees must sign a statement of confidentiality Employees will be fired if they violate confidentiality Majority of complaints are by patients saying that an employee looked up their records - usually family members, ex's, etc...

8 CONFIDENTIALITY Healthcare Employees
Staff can only view a patient's chart in order to perform their job Audit reports are generated triggered by employee, same last name Reports are monitored by managers Log-ins employee specific , defines access Logoff when walk away from PC Passwords must never be shared between co-workers

9 Health Insurance Portability and Accountability Act (HIPAA) – 45 CFR
HIPAA Privacy Regulations address the use and disclosure of protected health information (PHI) HIPAA Security Regulations address administrative, physical, and technical safeguards to protect health information that is collected, maintained, used or transmitted electronically.

10 Health Insurance Portability and Accountability Act (HIPAA) – 45 CFR
Only "Covered Entities" must comply with HIPAA Health care providers Health care plans Health care clearing houses Companies that process and/or collect data on behalf of a covered entity Business Associates must also comply A contracted vendor that uses confidential health information to perform a service on behalf of the covered entity Copy Service Outsourced Transcription Services

11 PROTECTED HEALTH INFORMATION
What is PHI? Individually identifiable health information that is transmitted or maintained in any form or medium by covered entities or their business associates Can be oral, written, and/or electronic information Patient name, address, SSN, medical record number, dates of service, etc.

12 USES AND DISCLOSURE Use – we covered the uses What is Disclosure?
When PHI is given to someone When can PHI be released? When a patient authorizes it When HIPAA, in conjunction with Wisconsin State Statutes, and any other relevant Federal Regulations allow

13 APPLYING HIPAA What kind of documentation are you dealing with?
General Medical Records – State Statute   Mental Health State law is much more strict Cannot release for treatment, payment, or healthcare operations without an authorization signed by the patient Parents do not always have the right to access minors’ records

14 AODA - 42 CFR, Part 2 (federal)
HIV - state statute HIPAA ? State law requires consent for release of test results. more protective follow State mandates AODA - 42 CFR, Part 2 (federal) Federal law is more strict and gives the patients more rights even with a court order one should seek legal counsel

15 Required Disclosures DISCLOSURES OF PHI Two types: Patients
HIPAA allows a covered entity 30 days to respond to a request for records If a covered entity fails to do so, the patient may submit a complaint to the Office for Civil Rights (OCR) The Secretary of the Department of Health and Human Services for compliance auditing purposes.

16 Permitted Disclosures
DISCLOSURES OF PHI Permitted Disclosures There are many permitted disclosures Consider HIPAA in conjunction with State and other Federal Laws – Which do you follow? Which provides the most protection/privacy for the patient? If authorized by the patient HIPAA and state laws allow Health Care Providers to release for:   Treatment - continuing care   Payment - release to insurance companies for payment of bill   Healthcare Operations - quality management reviews, risk management, anything internal

17 Exceptions DISCLOSURES OF PHI Public Health
reporting positive lab results for communicable disease Child/Elder Abuse Court Order Law Enforcement If a patient has a wound that is thought to be the result of a crime If reporting a crime on the premises – limited data Suicidal or homicidal threat Sexual Assault? NO Domestic Violence ? NO

18 Exceptions cont…. DISCLOSURE OF PHI
Coroners, Medical Examiners, Funeral Directors Organ Procurement Worker’s Compensation Limited to the injury that is being claimed Specialized Government Functions

19 Required Elements: Required Statements: DISCLOSURE OF PHI
IF THE RELEASE IS NOT PERMITTED OR IS NOT ONE OF THE “EXCEPTIONS”, IT MUST BE AUTHORIZED BY THE PATIENT. Every authorization must be checked for validity. Required Elements: Description of the information to be used or disclosed The name of the facility that is being authorized to release it The name of the person(s), or class of persons, to whom the covered entity may disclose to A description of the purpose of the requested use or disclosure An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure Signature - state law does not allow a person to sign another person's name Required Statements: Right to revoke the authorization- must be in writing to the health care entity authorized to release.... The exception to the right to revoke... except to the extent that that authorization has already been acted upon. The ability or inability to condition treatment, payment or enrollment Potential for re-disclosure of the PHI

20 Who can sign the authorization?
DISCLOSURE OF PHI Who can sign the authorization? Patient Patient’s legal representative Power of Attorney - but only after the POA is activated Parent – if patient is under 18 (except mental health and AODA circumstances)

21 What about verbal release?
DISCLOSURE OF PHI What about verbal release? Can healthcare professionals talk to the patient’s family and friends? HIPAA – implied consent – if family/ friends are in the room, it is implied Revised WI State Law – the patient has to agree to the disclosure to family and friends it does not have to be a written agreement If patient is unable to consent … then YES. 

22 Patient Rights HIPAA – The Privacy Rule – gives patients certain rights: Receive Notice of Privacy Practices Right to Restrict Right to Access Right to Amend Right to Revoke Right to Have an Accounting of Disclosure Right to Complain

23 Notice of Privacy Practices
Summarizes the facility’s privacy policies and explains how the facility may use or disclose patient health information Must be in “plain” language and provide examples Must provide contact information for the privacy officer The covered entity must obtain a signed acknowledgement from the patient stating the notice was received

24 Right to Restrict HIPAA has given the patient the right to restrict access to their records; however, the covered entity has the right to deny that request. Very difficult to restrict access to electronic records. Aurora example Patient has the right to “opt out” Not listed in the facility directory Individuals calling the facility would not be told the patient is there and calls would not be transferred to the patient The patient may also ask for “confidential communications” ie. sending the bill to another address

25 Right to Access Patients have a right to access and have copies of their records Exception: If HCP feels access may cause harm to the patient Must document Only applies when the patient is being treated HCP's must respond within 30 days of the request by the patient A patient must request in writing If authorizing PHI be disclosed to someone other than themselves, the request must be made on a HIPAA compliant form Retention Policies

26 Designated Record Set Must include: Legal medical records
Right to Access….. HIPAA requires Health Care Providers to define their Designated Record Set Must include: Legal medical records Billing records of the patient Any records used to make decisions about the individual What information is not included in the designated record set? Health information generated, collected, or maintained for purposes that do not include decision making about the individual ie. research Data collected and maintained for performance improvement purposes

27 Right to Amend HIPAA Privacy Regulation gives patients the right to request an amendment to their health information HCP (Privacy Officer) has 60 days to respond to the request to amend HCP can be given a 30 day extension (one time) Patient must be informed in writing of delay and given an expected date of response The HCP can deny the request to amend if: The information was not created by the facility The information is not part of the designated record set The information is not available for access The information is not accurate and complete

28 Steps to follow for an Amendment
Right to Amend…. Steps to follow for an Amendment handled by Privacy Officer Patient asks to make an amendment to his/her PHI Patient provided with appropriate request form Once the patient completes the request form, the Privacy Officer will contact the health care provider that created the document in which the patient is requesting the amendment The health care provider reviews the request and determines if the request will be accepted and acted upon or denied

29 Right to Amend… If acted upon, the HCP will - make the necessary corrections to the document - forward to any other HCP that received copies or to which the patient has instructed The patient will - receive a document stating the amendment was agreed upon - receive a copy of the corrected document

30 Right to Amend… If the amendment is denied the Privacy Officer will generate a letter to the patient stating the reason for denial If the patient disagrees with the denial, they must be given the opportunity to provide a statement of disagreement. The patient can then request that all future releases include a copy of his/her request for amendment the facility’s denial letter his/her disagreement statement

31 Amendment Scenarios Denied:
Patient requests that the record be amended because the physician stated that the patient was “obese”. The patient feels that the PCP should not have used that term and would like it to be changed. Patient requests that the record be amended because the physician used the word “depressed” and the patient feels the physician should not have used that word, possibly for the fear of that stigma that goes along with any term related to mental health.

32 Amendment Scenarios Accepted:
Patient had surgery on left knee but the document states “right” knee. Medications listed for the patient is incorrect. Past medical/surgical history states a disease/procedure the patient did not have.

33 Right to Have an Accounting of Disclosure
HIPAA requires that disclosures that do not fall under one of the Permitted Disclosures must be accounted for. The following data must be listed: Who received the documentation When the document was released Why and how the disclosure was made

34 Right to Complain Patients must be given the right to discuss their concerns about privacy violations with a staff member (Privacy Officer) and ultimately with the Office of Civil Rights. Office of Civil Rights has to investigate complaints enforce the privacy rule impose penalties for HIPAA violations Penalties may be civil or criminal and may involve fines and imprisonment depending on the circumstances.

35 Right to Revoke Patient has the right to revoke an authorization previously given and/or acted upon.

36 AHIMA Code of Ethics The code is relevant to all AHIMA members and credentialed HIM professionals and students, regardless of their professional functions, the settings in which they work, or the populations they serve. The ethical obligations of the health information management (HIM) professional include: protection of patient privacy and confidential information development, use, and maintenance of health information systems and health records quality of information - both handwritten and computerized medical records Healthcare consumers are increasingly concerned about the loss of privacy and the inability to control the dissemination of their protected information. Core health information issues include what information should be collected; how the information should be handled, who should have access to the information, and under what conditions the information should be disclosed.

37 AHIMA Code of Ethics Purposes:
Identifies core values on which the HIM mission is based. Establishes a set of ethical principles to guide decision-making and actions. Helps HIM professionals identify relevant considerations when professional obligations conflict or ethical uncertainties arise. Provides ethical principles by which the general public can hold the HIM professional accountable. Socializes practitioners new to the field to HIM’s mission, values, and ethical principles. Articulates a set of guidelines that the HIM professional can use to assess whether they have engaged in unethical conduct.

38 Use of the Code Violation of principles in this code does not automatically imply legal liability or violation of the law. Alleged violations of the code are subject to a peer review process. Typically this process is separate from legal or administrative procedures and insulated from legal review or proceedings to allow the profession to counsel and discipline its own members. Although in some situations, violations of the code would constitute unlawful conduct subject to legal process.

39 Terms to Know Privileged Communication Privacy Confidentiality
Security HIPAA PHI (protected health information) Consent Authorization Use Disclosure Minimum Necessary Covered Entities Notice of Privacy Practices Designated Record Set Confidentiality Agreement Business Associate

Download ppt "Confidentiality & Security of Protected Health Information"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA How can you maintain patient privacy and confidentiality? General Medicine LCCA.

HIPAA How can you maintain patient privacy and confidentiality? General Medicine LCCA.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Similar presentations

Ads by Google