1 / 21

HIPAA Training

HIPAA Training. Developed for Ridgeview Institute 2012 Hospital Wide Orientation. Introduction. The purpose of HIPAA training is to uphold the confidentiality of medical record information and protect the patient’s right to privacy in the collection and disclosure of patient information.

leland
Télécharger la présentation

HIPAA Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation

  2. Introduction The purpose of HIPAA training is to uphold the confidentiality of medical record information and protect the patient’s right to privacy in the collection and disclosure of patient information. HIPAA regulations require organizations, such as Ridgeview Institute, to provide HIPAA training to its workforce members.

  3. Health Insurance Portability and Accountability Act(HIPAA) is a federal law to provide privacy standards to protect patient’s medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. These standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. What is HIPAA?

  4. Patient Rights Patients have the right: • To receive a copy of Ridgeview Institutes Notice of Privacy Practices • To request restrictions on disclosures of Protected Health Information • To receive an accounting of disclosures • To request an alternate means of communication, such as sending mail to a P.O. Box versus home address.

  5. Right to Complain Patients have the right to complain if they feel their privacy rights have been violated. Refer patients with complaints about privacy violations to Ridgeview Institute’s Privacy Officer. Anita Thomas ext. 2801 HIPAAprivacyofficer@ridgeviewinstitute.com

  6. Protecting Patient Confidentiality As a healthcare worker, you must do your best to keep patient information confidential, regardless of whether you know the patient. Discussing PHI with individuals not involved in the patient’s care is a violation of the patient’s rights! Each Ridgeview work force member is responsible for maintaining and protecting the privacy and confidentiality of patients, family members, visitors, and co-workers. CONFIDENTIAL

  7. What is PHI? All protected health information (PHI) is subject to federal HIPAA regulation, which refers to any information that identifies a patient and relates to at least one of the following: • The individual's past, present, or future physical or mental health • The provision of health care to the individual • Past, present, or future payment for health care • Information that can identify an individual includes either the individual's name or any other information that could enable someone to determine the individual's identity. Protected Health Information Paper Documents ePHI (electronic data) Faxes Oral Communication

  8. PHI & ePHI • Types of Identifying Health Information • Name • Address • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89) • Telephone numbers • FAX number • Email address • Social Security number • Medical record number • Health plan beneficiary number • Account number • Certificate/license number • Any vehicle or other device serial number • Device identifiers or serial numbers • Web URL • IP address • Finger or voice prints • Photographic images • Any other characteristic that could uniquely identify the individual Definitions Protected Health Information (PHI) is all individually identifiable health information held or transmitted by Ridgeview in any form or media whether electronic, paper records, fax documents or oral communications. ePHI is all individually identifiable health information that Ridgeview creates, receives, maintains or transmits in electronic form.

  9. Physical Security Physical Security involves common sense steps to safeguard information from physical threats. • These steps include: • Locking Doors & Desks • Storing Computer equipment safely and securely • Making sure that those around you cannot easily view PHI or ePHI • Controlled Facility Access (e.g., ID badge)

  10. Physical Safeguards Ridgeview Institute takes measures to provide physical safeguards by limiting physical access to facilities where PHI is stored and requiring employees to wear authorized ID badges at all times while on campus. Additional required steps include: • Never leave your PC unattended while you are logged in. • Never share your log in password with anyone. It is a violation of Ridgeview Policy to share your password or log-in credentials. • Keep your computer monitor positioned out of public view. • Hold your conversations with patient/family in areas where PHI is not easily overheard.

  11. Inappropriate access to PHI It is a blatant violation of patient privacy to view someone’s record for reasons outside of your role at Ridgeview Institute. Those authorized to view a patient’s record are allowed to do so only as needed to perform their job. This limited access includes restrictions to accessing Hard Copies (Paper Records) and Electronic Data Records.

  12. HIPAA–Minimum Necessary Requirement HIPAA calls on health care workers to use the minimum amount of patient information they need to do their jobs efficiently and effectively. Ask yourself: • Do I need this information to do my job and provide good patient care? • What is the least amount of information I need to do my job? • What is the minimum amount I need to share with other to provide quality patient care?

  13. Disclosure of PHI HIPAA requires an authorization signed by the patient or the patients’ legal guardian before any PHI may be communicated verbally or in writing to another party. Federal regulations require documentation of what information was released, the date released, and who released the information, be recorded in the medical record. This may be documented at the bottom of the authorization form.

  14. Exceptions to Disclosure • Medical Emergencies • Reporting of Suspected Abuse (child or elder) • Reporting of Communicable Diseases • Court Order

  15. Disposal of PHI HIPAA requires Protected Health Information (PHI) to be kept confidential even when it’s being thrown away. It is the responsibility of ALL Ridgeview work force members to dispose of anything with PHI in a locked trash bin designated for disposal of confidential information.

  16. Misdirected Faxes with PHI Misdirected faxes are not uncommon in the daily operations of a healthcare facility. • A Ridgeview employee who unintentionally sends a fax with PHI to the wrong party should report the incident to their supervisor or Ridgeview’s HIPAA Privacy Officer immediately at x2801 or email HIPAAPrivacyOfficer@ridgeviewinstitute.com • In addition, all print jobs should be picked up IMMEDIATELY from the printer and should never be left unattended. Ridgeview’s HIPAA Privacy Officer Anita Thomas

  17. Health Information Technology for Economic and Clinical Health (HITECH) Act The HITECH Act (law) strengthens HIPAA enforcement. It includes provisions that call for increased monetary penalties for violation of HIPAA privacy and security regulations, new patient information breach notification requirements, and increased privacy rights for patients. • HITECH established four tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical nature during a calendar year. • Depending on the circumstances, federal or state law may permit civil or criminal litigation and/or restitution, fines, and/or penalties (including jail time) for actions violating HIPAA. • Ridgeview Sanction Policy which could include termination of employment depending on the severity of the violation. A recent example in the news, a hospital in Massachusetts agreed to pay a $1 million dollar fine as a result of an incident involving the loss and disclosure of PHI of 192 patients.

  18. Breach Notification (HITECH) If it is determined there is a violation, certain entities must be notified: • Individual whose privacy has been violated • Office of Civil Rights under the DHHS • Media (over 500 individuals) • Business Associates must report to the Covered Entity

  19. Business Associates (BAs) HIPAA governs those who contract with Ridgeview Institute and use or have access to Protected Health Information (PHI). Penalties and sanctions are applied directly to BAs violating Privacy and Security regulations.

  20. RVI Intranet: HIPAA Related SPPs • 1.2 Business Associates • 1.6 Confidentiality • 7.1 Personnel Security • 7.2 Workstation Use • 7.3 E-mail, Internet, & Intranet Use • 14.24 Faxing Employee Healthcare Info. • 15.2 Release of Information

  21. HIPAA Related SPPs (continued) • 15.3 Completion of Medical Record • 15.4 Faxing Patient Information • 15.5 Amendment to Protected Health Information • 15.6 Right to Request Privacy Protection • 15.7 Sanctions for Non-Compliance with HIPAA • 15.8 Privacy Complaints • 15.9 Notices of Privacy Practices of PHI

More Related