1. HIPAA/HITECH Privacy Job Specific Training
Medical Staff
Physicians
APPs
Welcome to the HIPAA and HITECH Privacy Training.

2. Objectives
Provide an overview of HIPAA and HITECH privacy key definitions and principles
Describe how HIPAA and HITECH affect job duties
Give tips and guidance for applying privacy requirements
This course is designed to provide an overview of key definitions and principles from the HIPAA and HITECH patient privacy laws and regulations, describe how HIPAA and HITECH affect workforce members, as well as provide tips and guidance to ensure patient information is properly protected and safeguarded.

3. Facility Privacy Official (FPO)
Each facility has a designated FPO
St. David’s Medical Center Heart Hospital of Austin
Chelsea Martel: Chelsea Martel:
Georgetown Medical Center Round Rock Medical Center
Emily Marcus: Emily Marcus:
North Austin Medical Center/ St. Davids Surgical Hospital
Rebecca Parisi
South Austin Medical Center
Kara Martin
Every workforce member should be familiar with the facility’s FPO
This is the “go-to” person for:
Potential patient privacy issues
Questions on patient privacy matters
Patient privacy complaints
Every HCA facility and shared services center has a facility privacy official, or FPO, designated to oversee the facility’s patient privacy program. If you have not yet become acquainted with the FPO during your orientation, be sure to work with your management team to identify the FPO in your setting. The FPO will be your “go-to” person for patient privacy related matters, such as potential issues that occur, questions on patient privacy related matters, or if you are contacted by a patient with a privacy related complaint. The FPO plays a critical role in the facility by ensuring workforce members are properly trained and patient information is appropriately safeguarded and protected.

4. HIPAA Definition and Purpose
What is HIPAA?
Health Insurance Portability and Accountability Act of 1996
Title II- Administrative Simplification
Federal Law
What is the purpose of the law?
Guarantee privacy and security of health information
Protecting health insurance coverage, improving access to health care
Reducing fraud, abuse and health care costs
You are likely familiar with the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. This federal law was created to guarantee privacy and security of health information, protect health insurance coverage, including access to health care, and to reduce fraud, abuse and administrative health care costs. Oftentimes people are most familiar with HIPAA in relation to patient privacy.

5. HITECH Definition and Purpose
What is HITECH?
Health Information Technology for Economic and Clinical Health Act
Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)
Federal Law
What is the purpose of the law?
Made massive changes to existing privacy and security laws
Creates a nationwide electronic health record
Increased penalties for privacy and security violations
In 2009, President Obama signed the American Recovery and Reinvestment Act into law, which included the Health Information Technology for Economic and Clinical Health Act, or HITECH. For the first time since the implementation of HIPAA, significant changes to privacy and security laws were made. HITECH also creates a nationwide electronic health record and increases the penalties for privacy and security violations. While protecting patient privacy was required and important under HIPAA, the HITECH Act strengthened those protections and placed additional requirements on the health care community. It is also important to note that individual states may have specific privacy laws as well. In cases where the state law is more stringent than the federal privacy laws, the state law must be followed.

6. HITECH Changes Examples of changes due to HITECH Criminal provisions
Office of Civil Rights audits
Breach notification requirements
Changes to the patients’ right to access
While there are many changes as a result of HITECH, some of the more substantial changes included strengthened criminal provisions, adding requirements for notification when certain breaches of protected health information, or PHI, occur, additional audit capabilities by the Office of Civil Rights, and changes to the patients’ right to access his or her health information. We’ll discuss some of these changes in more detail in the next few slides.

7. Breach Notification
Certain breaches of protected health information resulting in risk that the information was compromised require notification to:
The patient
The Department of Health and Human Services
In some situations, the media
Covered entities, such as health care providers, are required by HITECH to notify the patient, the Department of Health and Human Services, and in some cases the media, when certain breaches of PHI occur. An unauthorized acquisition, use, access or disclosure of unsecured, unencrypted PHI that poses a risk that the information was compromised is considered a HITECH breach.

8. Civil Money Penalties for Non-Compliance*
The Department of Health and Human Services categorizes privacy violations into four categories: did not know, reasonable cause, willful neglect that has been corrected, and willful neglect that has not been corrected. Each category has a range of civil monetary penalties associated with the type, with a cap of $1,500,000 for violations of an identical provision in the same calendar year. As you can see, privacy violations can result in large fines when facilities and workforce members are non-compliant. It is everyone’s responsibility to ensure patient information is properly protected and safeguarded!
*As of 1/25/13

9. Criminal Penalties for Non-Compliance
Applies to health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses.
Apply to any “person”
Up to $50,000 and one year in prison for obtaining or disclosing protected health information (PHI)
Up to $100,000 and up to five years in prison for obtaining PHI under “false pretenses”
Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
As a result of HITECH, clarification was made that non-compliance with patient privacy laws can result in criminal penalties, including prison, for individuals. Criminal penalties can apply to any individual – including employees. Depending on the type of compliance issue, the penalty ranges from $50,000 to $250,000, and from one to ten years in prison. This speaks to how seriously the government takes protecting our patients’ privacy.

10. HIPAA Terminology BAA: Business Associate Agreement
HIPAA: Health Insurance Portability and Accountability Act
HITECH: Health Information Technology for Economic and Clinical Health Act
PHI: Protected Health Information
CE: Covered Entity (Hospital)
ACE: Affiliated Covered Entity (Common ownership) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement)
DRS: Designated Record Set (medical record and billing record)
AOD: Accounting of Disclosures (patient’s right to receive)
Directory: Hospital census list used by volunteers and operators with name and room
NOPP: Notice of Patient Privacy

11. How does HIPAA affect you?
Coversheets with confidential statement need to be used on all external faxes.
Screens will need to be placed out of public view when possible
Patient charts will need to be placed in secure area
All PHI (e.g., dietary slips) will need to be placed in shred containers (e.g., Shred-It bins)
Patient information must only be accessed if there is a need to know and only the minimum necessary may be used.
Patient family members will give a passcode for other than directory releases

12. How does HIPAA affect you?
Patient consent must be obtained before speaking in front of family members or visitors
Registration will be giving out a Notice of Privacy Practices to every patient. Physicians in the OHCA are covered by the facility’s Notice
Patients will be given the option to “opt out” of directory
Patients have a right to a copy of their medical record
Written patient authorization is required for most disclosures that are not related to treatment, payment, or health care operations

13. Protected Health Information (PHI)
Name
Address including street, county, zip code and equivalent geocodes
Names of relatives
Name of employers
All elements of dates except year (e.g., DOB, admission /discharge, expiration, etc.)
Telephone numbers
Fax numbers
addresses
Social security number
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Any vehicle or other device serial number
Web universal resource locator (URL)
Internet protocol address (IP)
Finger or voice prints
Photographic images
Any other unique identifying number, characteristic or code
One of the key elements of protecting patients’ health information is to define what is considered PHI. PHI is information pertaining to health care that contains any of the identifiers listed on this slide. People often believe that if the patient’s name is removed the information is no longer PHI, but nothing could be further from the truth. As you can see from this list, there are many other data elements that make information identifiable.

14. Covered Entity An entity subject to HIPAA and HITECH
Health plans, health care clearinghouses, and health care providers that transmit electronically for billing
Hospitals
Physician Practices
Insurance Companies
Home Health Agencies
Hospice
HIPAA and HITECH are applicable to entities known as covered entities. A covered entity is a health plan, health care clearinghouse, or health care provider that transmits electronically for billing purposes. The HITECH Act also makes the HIPAA Privacy and Security Rules applicable to entities known as business associates. HCA hospitals, surgery centers, physician practices, imaging centers, cancer centers, etc. are covered entities.

15. Business Associate (BA)
A person, company, corporation, or any other legal entity that creates, receives, maintains or transmits PHI to perform a function or activity on behalf of the facility or to perform certain professional services for the facility
Billing
Legal
Quality Assurance
Claims Processing
Services covered by a Business Associate Agreement (BAA)
A business associate is any person, company, corporation, or other legal entity that creates, receives, maintains or transmits PHI to perform a function or activity on behalf of the facility, or to perform certain professional services for the facility. Common services that are provided to or for a covered entity by a business associate include claims processing services, legal services, and billing functions. When a business associate relationship exists with a covered entity, a business associate agreement, commonly known as a BAA, must be in place. This agreement outlines the requirements the business associate must adhere to from a HIPAA and HITECH perspective.

16. Affiliated Covered Entity (ACE)
Legally separate affiliated CEs designated as a single CE for HIPAA purposes
Typically facilities within the same Meditech market or division
Affiliated covered entities or “ACE” are legally separate covered entities that are affiliated and designated as one covered entity for HIPAA purposes. For example, facilities in the same Meditech market or division may designate themselves as an ACE for joint marketing purposes.

17. Organized Health Care Arrangement (OHCA)
Clinically integrated care setting in which individuals typically receive health care from more than one health care provider
Most commonly found in the hospital setting
An Organized Health Care Arrangement or “OH-CA” is an arrangement commonly found in a hospital setting. The OHCA is a clinically integrated care setting in which individuals typically receive health care from more than one health care provider. For example, a patient in the hospital may see several physicians during his or her stay that represent different health care specialties and physician practices. As part of an OHCA, the providers are permitted to share PHI for treatment, payment, and health care operations purposes as well as give the patient just one Notice of Privacy Practices.

18. What does that mean to me?
You can share information without patient authorization as it relates to treatment, payment, and health care operations (TPO)
Other covered entities will request only the minimum necessary to perform their job
You may request information from them for reasons of TPO without patient authorization
May need to verify the requestor according to policy

19. Designated Record Set (DRS)
Group of records maintained by or for facility
Medical and billing records
Information, in whole or in part, used by facility to make health care decisions about the individual
The Designated Record Set, or DRS, is the group of records maintained by or for the facility. These are the records that typically consist of the patient’s medical and billing records and contain information used by the facility to make health care decisions about the individual. The DRS is the set of records for which HIPAA provides specific patient rights. We will discuss those rights later in the presentation.

20. Minimum Necessary
Only workforce members with a legitimate “need to know” may access, use or disclose PHI
Regardless of the extent of the access provided
Only the minimum amount of PHI necessary may be used to accomplish the intended purpose of the access, use or disclosure
Workforce members may not access his/her own record
Contact HIM/medical records to request
One of the most important concepts for workforce members to understand is “minimum necessary.” Workforce members may only access, use or disclose PHI when they have a legitimate business need to know, no matter how much system access has been provided. In addition, when responding to requests for PHI, only the minimum amount of PHI necessary to accomplish the purpose may be accessed, used or disclosed. Workforce members should consider whether the information requested is the minimum necessary. For example, is it required that the receiver be provided the patient’s social security number? It is also important to note individuals, with the exception of medical staff physicians, are not permitted to access their own records in any system. Workforce members must contact the HIM or medical records department to request their own PHI.

21. Right to Access
Patient (or legal representative) may inspect and/or obtain a copy of PHI contained in the DRS
Some limited exceptions
Psychotherapy notes, and information compiled for use in civil/criminal/administrative actions
Direct patients to your facility’s designated department (e.g., HIM)
If patient is in-house, HIM will manage access process
The first patient privacy right we will discuss is the patient’s right to access his or her PHI. With some limited exceptions, the patient or the patient’s legal representative may inspect and/or obtain a copy of PHI contained in the designated record set. Examples of the limited exceptions for the right to access include psychotherapy notes and information compiled for use in civil, criminal or administrative actions. Workforce members who receive a patient request for access to PHI must direct the patient to the facility’s designated department, such as HIM, in order for the request to be appropriately addressed.
Individuals have the right to obtain information in an electronic format, provided that it is readily producible, or in a readable electronic form and a format agreed to by the facility and individual. There is no difference between paper and electronic access. Detailed guidance documents regarding responding to requests for PHI in electronic forms or formats are available on Atlas.
Individuals, with the exception of medical staff physicians, with access to electronic systems may not access their own record in any system. In that scenario, the individual would request access through the normal process at the facility rather than directly accessing the information.

22. Right to Amend
Patients have the right to request an amendment to records in the DRS
Request must be made in writing to the FPO
Cannot change or omit documentation already in the medical record
Forward request to HIM for processing
If patient in in-house HIM will manage amendment process
Patients and their legal representatives have the right to request an amendment to records that are part of the designated record set. These requests must be made in writing to the FPO. Therefore, workforce members must direct patient requests for amendment to the FPO. Although information may be amended, documentation cannot be changed or omitted once part of the medical record.

23. Confidential Communications
Patients have the right to request to be contacted at alternate locations or by alternate means
All reasonable requests must be accommodated
A form must be completed by the patient or patient’s legal representative
Patients may also request what is known as confidential communications. This means that a patient may ask us to only contact them at an alternate location or by alternate means. We must accept all reasonable requests for confidential communications. The request must be made in writing and be completed by the patient or the patient’s legal representative.

24. Opt Out of the Directory
Patients have the right to opt out of the facility directory at anytime but will probably happen during admission process
Can still release information to family and friends with 4-digit passcode as defined in the Directory policy.
Cannot acknowledge the patient is in the hospital or the condition of the patient except for treatment, payment or health care operations purposes
Clergy will not have access
No floral or other deliveries
In the hospital setting, the confidential flag is set in Meditech
As part of the registration process, patients are provided the opportunity to opt out of the facility directory. The hospital will not acknowledge the presence of a patient within the facility or disclose the patient’s condition, except in some situations, such as for treatment, payment or health care operations purposes, when a patient opts out of the directory. In addition, there will not be floral or other deliveries, and clergy will not have access to the patient. A confidential flag is set in Meditech for hospital patients that opt out of the directory.

25. Right to Restrict
Patients have the right to request restrictions of uses and disclosures of PHI
NEVER agree to a restriction that a patient may request
All requests must be made in writing and given to the FPO to make a decision on
NO request is so small that it should not be routed to the FPO
Patients and their legal representatives may request restrictions to the uses and disclosures of PHI. However, it is important to note that in general these requests do not have to be accepted by the facility, unless the patient requests a restriction of the disclosure of PHI to his or her health plan, the disclosure is not for treatment purposes or otherwise required by law, and the patient has paid out of pocket in full for the item or service. All requests for restrictions must be made in writing to the FPO or the FPO’s designee; therefore, workforce members must refer patients to the FPO when a restriction is requested. Workforce members must never agree to a request for a restriction, as this determination must be made by the FPO.

26. Patient Privacy Complaints
Route all patient privacy complaints to the FPO
FPO must acknowledge the complaint
Complaint log maintained by the FPO in accordance with the facility’s policy
No retaliatory actions can be made
Disposition of the complaint must be consistent with the facility’s sanctions policy and Information Security Violations.
Every patient or patient’s legal representative has the right to make a privacy complaint. Workforce members must route all patient privacy complaints to the FPO. The FPO will acknowledge the complaint to the complainant and will maintain a log of privacy complaints received. Facilities may not retaliate against a patient or a patient’s legal representative for filing a privacy complaint. The final disposition of the complain must be consistent with the facility’s sanctions policy.

27. Accounting of Disclosures (AOD)
Patients have the right to request a written accounting of disclosures of PHI to authorized individuals a facility has made during the six years prior to the date the report is requested
Every facility must have a process in place to log AOD entries (e.g., MEDITECH MRI Correspondence Module, spreadsheet)
The HIPAA Privacy Rule also permits patients and patients’ legal representatives to request a written accounting of disclosure, or “A-O-D.” The AOD contains a listing of the disclosures of PHI made for the six years prior to the date the report was requested. It is important to note that some disclosures are currently exempt from the AOD requirements. For example, at this time, AOD entries are not required for treatment, payment or health care operations disclosures. Every facility must have a process in place to log AOD entries. In the hospital setting, the MEDITECH MRI Correspondence Module is used. In outpatient settings, AODs may be captured in the information system used, databases or spreadsheets. If the scope of your duties and responsibilities includes capturing AODs for those disclosures which require an entry, work with the FPO at your location for the specific requirements in your setting.

28. Notice of Privacy Practices (NOPP)
Patients’ privacy rights are outlined in the NOPP
Outlines patient rights
-Breach Notification
-Right to Access
-Right to Amend
-Fundraising and the Right to Opt Out
-Confidential Communication
-Right to Privacy Restriction
-Right to Opt out of Directory
Patient receives NOPP at each registration
Physicians in the OHCA are covered by the facility’s Notice for hospital patients
The HIPAA Privacy Rule requires covered entities to give patients a Notice of Privacy Practices or “N-O-P-P.” The NOPP must be offered to patients at each registration, prominently displayed in registration areas in the facility, and posted on the facility’s website. The NOPP outlines patients’ privacy rights, such as breach notification, the right to access, the right to amend, the right to request confidential communications, the right to restrict uses and disclosures of PHI, the right to opt out of the facility directory, the right to request an accounting of disclosure, and fundraising and the right to opt out.

29. Sharing Information with Other Treatment Providers
Information may be shared for TPO with physicians and office staff, hospitals, or other treatment facilities on mutual patients
Need to verify the identity of the requestor according to policy
PHI can be released for reasons of treatment, payment or health care operations

30. HIPAA Authorizations
Form signed by the patient or patient’s personal representative authorizing the release of PHI to a third party or individual
Not required for treatment, payment, or health care operations disclosures (unless otherwise required by State law)
Certain required elements in order to be “HIPAA Compliant”
Always use the facility’s form, when possible
In situations where the HIPAA Privacy Rule does not specifically permit a use or disclosure of PHI, an authorization form signed by the patient or the patient’s personal representative must be obtained prior to the release of information. Each facility must have a standard HIPAA compliant authorization form in place. The facility’s form must be used, when feasible. Otherwise, facilities must ensure that the authorization received from a third party contains all of the required elements.

31. Disclosing PHI to Family Members and Friends Who Call the Unit
Patient will be assigned a four-digit passcode that will be needed to obtain non-directory information
Distribution of passcode will be the responsibility of the patient
Passcode may be changed during treatment
-Revocation and password change form must be routed to FPO

32. Verification of External Requestors
Requestors via phone will need:
Patient SS#, DOB and one of the following:
Account number, street address, medical record number, birth certificate, insurance card or policy number
Scenarios
Unknown physician calling from cell phone
Family member or friend calling without passcode
Every member of the workforce must verify the identity of any person or entity that is unknown to the workforce member and is requesting PHI. This applies whether the request is in person, verbal or via written request. There are a few exceptions to the verification requirements, including disclosures from the facility directory, disclosures for disaster relief purposes and disclosures for the involvement in the individual’s care and notification purposes.

33. Ensuring Security Compliance
Ensure users should log off terminals when not in use.
Computer’s should have screen savers whenever possible.
Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers
Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person.
PHI must be properly disposed of in shred bins.

34. Examples of Exposures
Impermissible acquisition, access, use or disclosure of unsecured (e.g. unencrypted) PHI
Discussions of patient information in public places such as elevators, hallways and cafeterias
Printed or electronic information left in public view (e.g., charts left on counters)
Discussing patient information on social networking sites (e.g., Facebook, Twitter)
PHI in regular trash
Records that are accessed without need to know in order to perform job duties
Unauthorized individuals (e.g., patient visitors) hearing patient sensitive information such as diagnosis or treatment
PHI that was intentionally acquired, access, used and/or disclosed by workforce in the scope of their role (e.g. snooping, gossip, posting to social media. Stealing or selling PHI)
PHI was inadvertently disclosed to an unauthorized party (e.g. wrong patient, attorney not representing HCA, business) who is not a covered entity and otherwise (e.g. sensitive and/or clinical information was not disclosed, issue was not mitigated)

35. Sanctions
Each facility must have a sanctions policy to address privacy and information security violations
Workforce members may be sanctioned (e.g., written warning, termination) for privacy and security violations
Two categories of privacy and security violations
-Negligent
Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations
-Intentional
Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations
Contact your FPO for a copy of your facility’s policy
Due to the importance of protecting patient information, HIPAA requires that covered entities have a sanctions policy in place to address privacy and information security violations. Workforce members may be sanctioned when violations of patient privacy or information security occur. Examples of sanctions include, but are not limited to, retraining, verbal warning, written warning, and termination. Workforce members should refer to their facility’s policy or contact the FPO for specific information on the sanctions policy.

36. Uses and Disclosures Required by Law
PHI may be disclosed about an individual the facility believes to be a victim of abuse, neglect, or domestic violence to a government authority authorized by law to receive it
PHI may be disclosed in the course of any judicial or administrative proceeding
PHI may be disclosed to law enforcement in certain scenarios:
If required by law, including reporting certain types of wounds or injuries
In response to law enforcement official’s request for PHI for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person; or if the individual is, or is suspected to be, a victim of a crime
To alert law enforcement of death resulting from criminal conduct
If the facility believes in good faith that a crime has occurred on the premises
There are some situation where the use or disclosure of PHI may be required or permitted by law.
The facility may disclose PHI about an individual the facility reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, such as social services, or a protective services agency, authorized by law to receive such reports, if the patient or patient’s personal representative agrees, or the disclosure is expressly authorized by statue or regulation.
The facility may also disclose PHI in the course of any judicial or administrative proceeding, such as in response to a court, or administrative tribunal via a subpoena, discovery request, or other lawful process.
PHI may be disclosed to a law enforcement official if required by law, including the reporting of certain types of wounds or other physical injuries; In response to law enforcement official’s request for PHI for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person; In response to law enforcement official’s request for PHI if the individual is or is suspected to be, a victim of a crime; To alert law enforcement of the death of the individual if the facility has a suspicion that such death may have resulted from criminal conduct; If the PHI disclosed to law enforcement is PHI the facility believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the facility.
It is important to note that there are often state laws that must be followed in these situations.
Consult the policy or your facility’s FPO for additional information.

37. Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is not Required
Disclosures for Public Health Activities
Certain Disclosures of Immunizations
Health Oversight Activities
Certain Disclosures about Decedents
Disclosures to Avert a Serious Threat to Health or Safety
Disclosures for Specialized Government Functions
Disclosures for Workers’ Compensation
The HIPAA Privacy Rule permits certain disclosures without a patient’s HIPAA compliant authorization or a chance to agree or object to the disclosure or use of his or her PHI. These disclosures typically involve releases to public health agencies, health care oversight agencies, law enforcement, and specialized government functions. Workforce member should contact their FPO for specific scenarios and additional information from the policy.
There are several scenarios in which authorization or consent is not required to disclose PHI. Keep in mind that most states have separate patient privacy laws that may apply additional legal requirements. Consult your Operations Counsel to identify and comply with any such additional legal mandates.

38. Uses and Disclosures to Other Covered Entities
PHI may be disclosed to other covered entities without the patient’s HIPAA compliant authorization
For treatment activities of a health care provider
For the payment activities of the entity that receives the PHI
For limited health care operations activities, if each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the PHI pertains to such relationship
For limited health care operations
For the purpose of health care fraud and abuse detection or compliance
To other members of the OHCA for health care operations
PHI may be disclosed to other covered entities or health care providers for treatment or payment activities without the patient’s HIPAA compliant authorization. PHI may also be disclosed to another covered entity for limited health care operations activities of the covered entity that receives the information if each entity either has or had a relationship with the individual who is the subject of the PHI being requested and the PHI pertains to such relationship. Limited health care operations include activities such as conducting quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities, or for the purpose of health care fraud and abuse detection or compliance.
PHI may be disclosed to other members of the OHCA of which the facility is a member for any health care operations activities of the OHCA.

39. Uses & Disclosures of PHI for Involvement in the Patient's Care and Notification Purposes
To notify a family member, personal representative, or another person responsible for the care of the patient of the patient’s location, general condition, or death
To an entity authorized to assist in disaster relief efforts, for the purposes of coordinating the permitted uses and disclosures
Patient agreed
Patient was provided opportunity to object and did not
Inferred based on professional judgment that patient did not object
Relevant PHI may be disclosed to any person to whom the patient has given his or her passcode
PHI may be disclosed to a patient’s family members, significant others, and friends for patient care purposes. If the patient is present prior to the use or disclosure and has the capacity to make health care decisions, PHI may be used or disclosed to notify, or assist in the notification of, a family member, a personal representative of the patient, or another person responsible for the care of the patient, of the patient’s location, general condition or death, or to an entity authorized by law or by its charter to assist in disaster relief efforts, for the purposes of coordinating with such entities the permitted uses and disclosures.
These uses or disclosures may only occur if either the patient has agreed, the patient was provided with the opportunity to object to the disclosure and did not, or it was inferred from the circumstances, based on the exercise of professional judgment, that the patient did not object.
In the hospital setting, the policy requires that patients be provided a passcode to give to friends and family members in order to obtain information about the patient’s health care. For other provider settings, work with your FPO for the proper procedure.

40. Incidental Use and Disclosures
Disclosure that cannot be reasonably prevented, limited in nature, and occurs as a by-product of a permitted use or disclosure of PHI
Must have appropriate safeguards in place
Examples:
Discussions overheard at the nurses’ station
Physician speaking with a patient in a semi-private room
Telephone conversation overheard at the registration desk
HIPAA permits certain disclosures that cannot be reasonably prevented, are limited in nature, and occur as a by-product of a permitted use or disclosure of PHI, as long as reasonable and appropriate safeguards are in place. These permitted disclosures are known as “incidental” disclosures. Common examples of incidental disclosures include discussions overheard at the nurses’ station, a patient overhearing a physician’s discussion with another patient in a semi-private room, or telephone conversations overheard from the registration desk, provided that reasonable safeguards are in place such as using a lowered voice, drawing a curtain, closing the door, etc.

41. Safeguarding Oral PHI
Do not discuss PHI in public areas or with anyone without a need to know – even if you don’t use the patient’s name
Some exceptions (e.g., in an emergency situation for treatment purposes, incidental disclosures)
Use lowered voices or step away from others
Verify recipients of PHI prior to disclosure
Ask permission to speak in front of visitors
Only leave messages containing PHI on answering machines in accordance with facility policy
We will now discuss ways that workforce members must safeguard different types of PHI. Disclosing PHI orally or verbally happens very easily and is one of the most common disclosures. Workforce members can easily prevent inappropriately disclosing PHI orally by:
Not discussing PHI in public areas or with anyone who does not have a need to know. For example, refrain from discussing patients in the cafeteria, in the elevator, and at home. Even if you don’t use the patient’s name, PHI may still be disclosed. Please note that in emergency treatment situations, these disclosures are incidental.
Use a lowered voice or step away from others
Verify recipients of PHI prior to disclosure. Ensure that you are speaking to the correct party about the correct patient.
Before discussing PHI in front of family or visitors, ask the patient for consent.
Only leave PHI on an answering machine in accordance with your facility policy. Limit the amount and type of information left on the machine to prevent inappropriate disclosures

42. Safeguarding Paper PHI
Properly dispose of PHI (e.g., shredding bin)
Do not leave PHI in public view
Example: Charts left unattended on the counter of the nursing station
Secure PHI after hours
Verify recipients of PHI prior to disclosure
Example: Hand discharge paperwork belonging to another patient to the wrong patient
Never remove PHI from the facility unless relevant to your job function and approved in advance by your manager
It is every workforce member’s responsibility to ensure PHI is safeguarded. Due to the volume of paper PHI flowing through the facility, it is important that each workforce member does their part to limit disclosures. Examples of ways to safeguard paper PHI include:
Always properly dispose of PHI in the appropriate container. For example, PHI must be shredded rather than just recycled.
Do not leave PHI in public view such as charts left on the counter of the nursing station.
Ensure that PHI is locked up or put away after hours
Verify recipients of PHI prior to the disclosure. Double check the paperwork to ensure the PHI belongs to the individual about to receive it. For example, facilities must ensure that discharge paperwork is given to the correct patient .
Never remove PHI from the facility unless it is pertinent and relevant to your job function and approved in advance by your manager.

43. Proper Disposal of Patient Health Information
It is our responsibility to protect personal health information (PHI). We must do this by taking precautions to ensure PHI cannot be read, obtained or overheard.
Patient health information is on:
-Faxes
-Patient Labels
-Paper documents
PHI must be removed before disposing of by:
-Removing/ ripping off PHI label
-Cutting out the PHI label and disposing of label in appropriate shred container
-Marking out all the PHI elements so it is not readable and disposing of label in appropriate shred container

44. Safeguarding Electronic PHI
Log off work stations when not in use and never share passwords
Use screen savers/privacy screens
Position screens out of the general public view
Adhere to all Information Security Policies and Standards
In today’s virtual world, PHI flows electronically in many different directions. Workforce members must take these precautions to ensure electronic PHI is protected:
Log off work stations when not in use
Never share passwords
Use screen savers and privacy screens to prevent PHI from being observed
Position monitors away from public view
Adhere to all HCA Information Security Policies and Standards. For example, PHI ed externally to any HCA network be must encrypted in accordance with Information Security requirements.

45. Safeguarding External Faxing Guidelines
Limit when possible
ALWAYS use fax cover sheets with confidentiality statement for transmittals
Verify fax number
Use pre-programmed fax numbers when applicable
Have a standard process for periodically reviewing programmed numbers for changes
Test programmed numbers prior to initial use
Double-check fax numbers prior to hitting “send”
Verify intended recipient got the fax
Fax machine located in secure location
Highly sensitive information should NEVER be faxed (HIV status, abuse records, etc.)
It is very easy to fax PHI to the wrong recipient, potentially resulting in a breach of information. Therefore, workforce members must implement these safeguards before faxing information:
Use a fax coversheet that includes a confidentiality disclaimer and recipient name to help mitigate the risk of inappropriate disclosure
Use pre-programmed fax numbers whenever possible to reduce the potential for mis-dialed fax numbers. Facilities must have a standard process in place to periodically review programmed numbers for changes. For example, review all preprogrammed numbers every six months. Test all preprogrammed numbers prior to first use.
Double-check the fax number and recipient prior to hitting “send” on the fax machine
Verify that the fax was received by the intended recipient

46. Key Takeaways Protecting PHI is required by law
Safeguarding PHI is everyone’s responsibility
HIPAA gives patients privacy rights
Work with your FPO for patient privacy questions, complaints and concerns
PHI may only be accessed by those with a legitimate need to know
In closure, the key takeaways of this HIPAA training course are:
Protecting PHI is required by law
It is everyone’s responsibility to safeguard PHI
HIPAA gives patients certain privacy rights
Your FPO is your key contact for your patient privacy questions, complaints and concerns
Workforce members may only access PHI when there is a legitimate need to know