1. HIPAA Job Specific Education1 HIPAA Privacy Keys to Success Education for Students Updated February 2010

2. HIPAA Job Specific Education2 HIPAA and Its Purpose What is HIPAA?  Health Insurance Portability and Accountability Act of 1996  Title II – Administrative Simplification  It’s a federal law  HIPAA is mandatory, penalties for failure to comply Purpose:  Protect health insurance coverage, improve access to healthcare  Reduce fraud and abuse  Improve quality of healthcare in general  Reduce healthcare administrative costs (electronic transactions)

3. HIPAA Job Specific Education3 HITECH and Its Purpose What is HITECH?  Health Information Technology for Economic and Clinical Health Act  Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)  It’s a federal law Purpose:  Makes massive changes to privacy and security laws  Applies to covered entities and business associates  Creates a nationwide electronic health record  Increases penalties for privacy and security violations

4. HIPAA Job Specific Education4 Civil Penalties for Non- compliance* Violation CategoryEach ViolationAll such violations of an identical provision in a calendar year Did Not Know$100 - $50,000$1,500,000 Reasonable Cause$1,000 – $50,000$1,500,000 Willful Neglect – Corrected$10,000 - $50,000$1,500,000 Willful Neglect – Not Corrected$50,000$1,500,000 *As of 2/17/09

5. HIPAA Job Specific Education5 Criminal Penalties for Non- compliance These penalties can apply to any “person”, including students. The penalties are higher for actions designed to generate monetary gain  up to $50,000 and one year in prison for obtaining or disclosing protected health information  up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"  up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm

6. HIPAA Job Specific Education6 Facility Privacy Official The name of the facility’s FPO is Debra Hasling. The FPO is Responsible for: –Privacy Program –Privacy Rights of patients –Requests for Privacy Restrictions –Facilitating the training and education of staff

7. HIPAA Job Specific Education7 HIPAA Terminology HIPAA: Health Insurance Portability and Accountability Act HITECH: Health Information Technology for Economic and Clinical Health Act PHI: Protected Health Information CE: Covered Entity (Hospital) ACE: Affiliated Covered Entity (Common ownership) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement) DRS: Designated Record Set (medical record and billing record) AOD: Accounting of Disclosures (patient’s right to receive) Directory: Hospital census list used by volunteers and operators with name and room

8. HIPAA Job Specific Education8 How will HIPAA affect you? Coversheets with confidential statement need to be used on all external faxes. Screens need to be placed out of public view when possible Patient charts need to be placed in secure area PHI needs to be placed in Shred-It containers for disposal Patient family members will be given a passcode for information other than directory releases Patient information should only be accessed if there is a need to know

9. NEED TO KNOW Any person (including students) who have access to the facility or Company systems or applications may only view information contained in that system when there is a NEED TO KNOW for purposes of treatment, payment or operations. HIPAA Job Specific Education9

10. Accessing Your Medical Record You may never access your own medical record via the Meditech system. You may access your own medical record by following the procedures as required for any patient. HIPAA Job Specific Education10

11. MONITORING NEED TO KNOW HCA’s IT&S Department monitors all individuals who access its medical records through ongoing “Appropriate Access” audits. When IT&S determines a student may have accessed a medical record without the NEED TO KNOW, IT&S will contact that student’s supervisor. HIPAA Job Specific Education11

12. HIPAA Job Specific Education12 How will HIPAA affect you? Registration will give out a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy. Patients will be given the option to “opt out” of our directory. Patients have a right to a copy of their medical record Authorizations need to be obtained from patient to release information for reasons other than for treatment, payment or healthcare operations (TPO)

13. HIPAA Job Specific Education13 What is Protected by HIPAA (PHI)? Any one of the following is PHI. Name Address including street, city, county, zip code and equivalent geocodes Names of relatives Name of employers Birth date Telephone numbers Fax Numbers Electronic e-mail addresses Social Security Number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web Universal Resource Locator (URL) Internet Protocol (IP) address number Finger or voice prints Photographic images Any other unique identifying number, characteristic, code

14. HIPAA Job Specific Education14 What is a Covered Entity (CE)? Health plans, Health care clearinghouses, and Health care providers that transmit electronically for billing –Examples Hospitals Physician Practices Insurance companies Ambulance Transportation Services Hospice Home Health

15. HIPAA Job Specific Education15 What does that mean to me? Information may be shared without patient authorization as it relates to treatment, payment or hospital operations (TPO) When in in doubt… check with the Charge Nurse or Department Director prior to sharing information without patient authorization.

16. HIPAA Job Specific Education16 Disclosing PHI to Family Members and Friends Who Call the Unit Patients are assigned a four-digit passcode. Family members and friends need this passcode to be able to get non-directory information Distribution of the passcode is the responsibility of the patient

17. HIPAA Job Specific Education17 Verification of Requestors When a Covered Entity makes a Request via phone they will need: –Patient SS# + DOB and one of the following: –Account number, street address, MR#, birth certificate, insurance card or policy number –Scenario An unknown physician calling from cell phone must have the patient SS# + DOB and one of the above prior to information being provided to that physician.

18. HIPAA Job Specific Education18 External Faxing Guidelines Limit when possible Verify fax number Fax machine must be located in secure location ALWAYS use cover sheet with confidentiality statement for transmittals Highly sensitive information should NEVER be faxed (HIV status, abuse records, etc.)

19. HIPAA Job Specific Education19 Patient’s Right to Access Patients may request a copy or inspection of their medical record. BUT, students should not provide a copy to the patient nor allow the patient to inspect their medical record. Students should direct the patient’s request to Charge Nurse for follow up.

20. HIPAA Job Specific Education20 Patient’s Right to Opt out of Directory A patient can opt out of directory at anytime but this will most likely happen during the admission process. IF A PATIENT OPTS OUT OF THE DIRECTORY… you may not acknowledge the patient is in the facility AND You may not give information about the patient to family and friends unless they provide the 4-digit passcode.

21. HIPAA Job Specific Education21 Right to Privacy Restrictions Patients have the right to request a privacy restriction of their PHI But, NEVER agree to a patient requested restriction All requests must be made in writing and given to the FPO to make a decision on NO request is so small that it should not be routed to the FPO

22. HIPAA Job Specific Education22 Patient Privacy Complaints ALL privacy complaints must be routed to the FPO No privacy complaint is too small or insignificant

23. HIPAA Job Specific Education23 Notice of Privacy Practices Patient will receive a Notice of Privacy Practices (NOPP) upon each registration Notice of Privacy Practices outlines patient rights –Right to access –Right to amend –Confidential Communication –Right to Privacy Restriction –Right to Opt out of Directory Ask registration for a copy of the NOPP

24. Breach Notification Beginning February 2010…HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: –To the patient (the facility is required to send a letter to the patient). –To the Department of Health and Human Services (the facility notifies DHHS online). –To the media when the breach involves more than 500 individuals in the same jurisdiction. HIPAA Job Specific Education24

25. HIPAA Job Specific Education25 Security Compliance TAKE IT SERIOUSLY Log off terminals when not in use. Computer screens should be positioned so information (PHI) is not readable by the public Printers should be in protected locations so that printed information is not accessible by the public. PHI must be disposed using SHRED –IT bins.

26. HIPAA Job Specific Education26 Common Exposures To Avoid Discussions of patient information in public places such as elevators, hallways and cafeterias Printed or electronic information left in public view (e.g., charts left on counters) PHI in regular trash Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment

27. SOCIAL NETWORKING NEVER discuss patients or patient information (even if you think it is unidentifiable) on a social network site, such as Face Book or Twitter. HIPAA Job Specific Education27

28. HIPAA Job Specific Education28 Disciplinary Action and/or School Notification 3 levels of violations with disciplinary action and/or notification to the school: –Accidental disclosure of PHI may result in an oral or written warning. –Purposeful violation of privacy policy may result in notification to school and dismissal from hospital’s student program. –Purposeful violation of privacy policy with associated potential for patient harm will result in notification to school and dismissal from the hospital’s student program.

29. HIPAA Job Specific Education29 Tracking Your Training Federal law requires each HCA facility to document that you have successfully completed HIPAA training and to track that documentation for six (6) years.

30. 1.You must successfully pass the HIPAA Quiz; 2.Receive a Certificate of Completion from the facility; & 3.Ensure your facility has a copy of both your Quiz and Certificate for their records. Please keep a copy of your Quiz and the Certificate for your records HIPAA Job Specific Education30 STOP!! STOP!! STOP!! STOP!! Your training is NOT complete!!