HIPAA Health Care Insurance Accountability and Portability Act Catherine A. Gazda, MS RN Quality Management Coordinator Erie County Medical Center
Introduction • What is it? • How does it affect me?
Topics of Discussion • Components of HIPAA • Privacy Rule • Security Rule • Others • Transactions & Codesets • National Identifiers • Penalties of disclosure • Who implements HIPAA • Examples that you will encounter
Components of HIPAA • Health Insurance Portability-Patients can go from one insurer to another with continuity of coverage • Fraud Enforcement • Administrative Simplification: • Standardized transmission of health information (Transactions & Codesets) • Provide for confidentiality, integrity and availability of protected health information. (Security Rule) • Implement policy safeguards to ensure privacy of protected health information. (Privacy Rule)
Privacy Rule • Applies to protected health information in any format (oral, written, electronic) • Gives patients control over their health information • Sets boundaries on use and release • Establishes safeguards to protect privacy • Hold violators accountable • Balances public responsibility
Security Rule • Access to patient information is limited to those items/patients that you need to see for direct patient care (treatment, payment, operations; TPO). No family, friends, or neighbor’s information should be accessed. • No discussion of cases involving protected health information with family, friends, etc., outside of TPO. • Access is monitored • Keep ID and passwords private and secure. Sharing passwords is prohibited • Security of patient information on PDA, email, other electronic communication is required.
Penalties • General Penalty: Each Violation- $100. Maximum penalty for each violation $25,000. Over 50 distinct violations possible under Privacy alone. • Wrongful disclosure: $50,000 and/or imprisonment for 1 year • Offenses under false pretenses: $100,00 and/or 5 year imprisonment • Offenses with intent to derive personal benefit (sell) information: $250,000 and /or 10 years imprisonment
Who implements HIPAA? • Covered entity (hospital, practice plan, physician office) in possession of Protected Health Information is responsible for: • Developing policies/procedures and full implementation to meet all requirements of HIPAA regulations • Training of its workforce (anyone conducting treatment, payment or operations activities on its behalf). • Sanctioning violators and responding to complaints from the public or the Secretary of Health and Human Services
Pre-Test 1. You need medical information from another hospital. Can you request and access w/o specific authorization for treatment of the patient? Yes/No 2. Your patient’s records are requested from an attorney, can you give him the records? Yes/No 3. You are treating a patient and a nurse interrupts you and asks about orders on another patient. She uses the patients name. Is this a violation of privacy? Yes/No 4. You are speaking to your patient in a semi-private room. The person in the next bed may be listening. Is this a violation of privacy? Yes/No 5. Your patient wants to review and amend his record. Is this allowed? Yes/No
Pre-test • 6. Can I discuss a patients condition in a nursing unit hall, elevator, or other public area if I don’t use the patients name? Is this a violation of privacy? Yes/No • 7. Can I discuss the patients condition with other hospital employees? Yes/No • Can I discuss the patients condition with family members? Yes/No • Can I discard papers with patient information on them in any garbage can? Yes/No • Can I use patient information for research purposes? Yes/No
Question 1 :You are treating a patient and need information from another physician or hospital. Do you have access to this information without an authorization of the patient? • Answer: Yes. For treatment, payment and operations, information can be released without specific authorization.
Question 2 :You get a request from a lawyer to send information to them regarding one of your patients. Can you send this? • Answer : A patient’s authorization is needed for you to send these. The patient also has the right to request and obtain a disclosure on who you send their information to. • Specific authorizations are needed for release of the following types of information: • Mental Health • HIV/AIDS • Drug and Alcohol • SSA • If you have any questions, please contact the Office of GME or Risk Management or Health Information Staff at the hospital.
Question 3:You are treating a patient and a nurse comes in and asks you about orders on another patient. She gives the patients name and order. Is this a violation of privacy? • Answer : Yes. If the patient you are currently treating was able to figure out who the patient was by the information given, it is a violation of privacy.
Question 4:You are having a conversation with a patient in a semi-private room. The person in the next bed may be listening. Is this a violation of privacy? • Answer : No. As long as you take reasonable steps to protect confidentiality; speak quietly, pull curtain, etc. Consider how to modify the environment to protect the patient’s privacy.If possible, consider using another area on the unit or within the facility that provides more privacy.
Question 5 :Your patient reviews their record and wants to amend the record. Do we have to let them? • Answer : Patients have the right to request and amend their medical records. The process to amend the record and the process involved with denial of the request to amend the record must be disclosed to the patient.
Question 6: Can I discuss a patient’s condition in a nursing unit hall, an elevator, or other areas if I don’t use the patients name? • Answer : No. Someone may overhear the conversation and can figure out who the patient is without giving a name. ie. Using a room number, when a relative may be in an elevator where the patient is being discussed. Do not use names during case presentations. Consider how to modify the environment to protect the patient’s privacy. Do not speak directly outside the patient’s room - move to a neutral area to discuss the case, etc.
Question 7:Can I discuss the patient’s condition with other hospital employees? • Answer : Yes. Only if you are discussing the patient’s condition for purposes of payment, treatment, or operations. Even then, it is important to only give the minimum necessary information for that employee to know.
Question 8: Can I discuss the patient’s condition with family members? • Answer : Yes. If the patient does not object, the hospital and provider can share the information with a family member, relative, or close personal friend who is involved in the patient care or payment for that care. The hospital will give the patient an opportunity to limit disclosure and must follow the patients wishes unless required by law to do otherwise. Please do not assume the patient wishes their family to be privy to their information.
Question 9 :Can I discard papers with patient information on them in any garbage can? • Answer : No. All documents with patient information must be protected at all times. • Do not leave papers unattended in rooms • Laying on desks or cabinets Discard in bins marked for this purpose
Question 10 :Can I leave a telephone message on an answering machine for a patient? • Answer : Yes but remember to use only the minimum information to prompt the patient to return your call. • Do not identify yourself or the organization • Do not leave any specific medical information
Question 11 :Can I use patient information for research purposes? • Answer : Yes, but only under the proper conditions. • HIPAA specifically defines research uses of protected health information as being outside of TPO (treatment, payment and operations). • Need to access information only after one of seven specific mechanisms required by HIPAA has been implemented. • All research must be approved by UB IRB. IRB will require appropriate HIPAA release mechanisms be identified. • More information: http://www.hpitp.buffalo.edu/hipaa/UB_HIPAA_ResearchHomePage.htm • Do not photocopy medical information for case presentation/rounds