HIPAA/HITECH Privacy and Security Student Training Academic Year 2014-2015
Introduction Welcome to HIPAA/HITECH Privacy and Security training. As you may know, all health care organizations are required to comply with HIPAA/HITECH Privacy and Security Regulations. These regulations have undergone several updates, the latest of which were enacted in 2013. As UConn Health School of Medicine, School of Dental Medicine, and graduate students you most likely will have access to patients’ confidential health information and, therefore, are required to complete HIPAA/HITECH education. Thank you for completing this important training. Continuation in your educational program is contingent upon completion of this training.
When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. David Brinkley
UConn Health’s Confidentiality Policy • “All individuals are expected to be professional and maintain confidentiality at all times, whether dealing with actual records, projects, or conversations….” • “All individuals having access to confidential information are bound by strict ethical and legal restrictions…..” Refer to UCHC policy # 2002-43 Confidentiality
What types of information must UCHC protect? • Medical/Dental/Behavioral Health-related patient information • Research data requiring protections (clinical trials, patient survey responses, etc.) as required by the NIH. • Student information. • Employee human resources and financial information. • Any information about employees, students, patients, Board Members, etc. which includes Social Security numbers. • Financial information • IDs and/or Passwords for access to UConn Health computing resources. • Other confidential or sensitive UConn Health information not in the public domain.
HIPAA at a Glance • HIPAA stands for: Health Insurance Portability and Accountability Act • The “Health Insurance Portability”(HIP) part of HIPAA was intended to ensure the continuity of health insurance coverage for workers changing jobs. • To facilitate this goal, Congress mandated national standards for transmitting and protecting health information. • The “Accountability” part of HIPAA was designed to ensure the security and confidentiality of patient information/data and requires uniform standards for electronic transmission of data relating to patient health information.
HIPAA Privacy • The HIPAA Privacy Rule was enacted to: • establish national privacy protection standards for all forms of health information created by “covered entities”, including health care providers. • set limits on the uses and disclosures of such information. • give patients rights over their health records.
HIPAA Security • The HIPAA Security Rule was enacted to: • establish national standards for the security of electronichealth information (ePHI). • protect individuals’ ePHI that is created, received, used or maintained by covered entities. • outline administrative, technical and physical procedures to ensure the confidentiality, integrity and availability of ePHI.
What is HITECH? • HITECH stands for: Health Information Technology for Economic and Clinical Health Act • It is part of the American Recovery and Reinvestment Act (ARRA). • Interim rule enacted in 2009. • Widened the scope of privacy and security protections under HIPAA. • Included health care information technology incentives such as: • creating a national health care infrastructure. • adopting an electronic health record (EHR) system. • The HITECH final rule was enacted in January, 2013. • Made a significant number of changes to HIPAA Privacy and Security.
We’ve Come a Long Way…..Maybe • Electronic data transmission is a double edged sword. • More technology = increased vulnerability of personal information. • As technology changes we have to do more to protect that information. • The confidential information we come in contact with everyday is only as safe as our weakest link.
What is Protected Health Information (PHI)? • Any type of individually identifiable health information in any format including: • Paper or other media • Verbal • Photographed or duplicated • Electronically maintained and/or transmitted
What makes PHI identifiable? Any unique number, code or characteristic that links information to a specific individual such as: • Name • Address • Zip Code • Telephone number • Fax number • Photographs • Fingerprints • Email address • Internet address • Dates • Social Security Number • Medical Record Number • Patient Account Number • Insurance Plan Numbers • Vehicle Information • License Numbers • Medical Equipment Numbers
What is “de-identified” information? • Information in which specific pieces (identifiers) have been removed so that it cannot be linked to any individual or be re-identified. • If patient information is de-identified it is not considered PHI and is not protected under the HIPAA privacy regulations. Refer to UCHC Policy # 2003-29: Creation, Use and Disclosure of De-identified PHI
Knowledge Check Which of the following is not considered Protected Health Information (PHI) under HIPAA: A. An EKG report for a participant in a human subject research study. B. A discharge summary for a John Dempsey Hospital patient. C. A photo used for medical student education showing only a wound on the hand of an unidentified patient. D. A patient invoice that includes a listing of diagnostic lab tests completed.
Genetic Information • Genetic information, including family history, is considered PHI under HIPAA. • Includes: • genetic tests, requests for genetic services, or participation in clinical research that includes genetic services by an individual or his/her family member. • any manifestation of a disease in the individual’s family member. • Genetic information may not be used for underwriting purposes.
Protecting PHI • All health information that can be linked in any way to an individual must be protected under HIPAA. • As an institution, UConn Health has an obligation to protect the privacy of patient information and maintain the security of that information on our electronic systems. • Everyone must be vigilant in their efforts to handle confidential information in a way that prevents improper exposure. • HIPAA is ultimately about patients and their right to expect protection of their health information.
Patient Rights • Patients have the right to: • Receive an accounting of certain disclosures of PHI. • View and obtain copies of their records. • Request an amendment to their medical records. • Request that any communication related to PHI be directed to a specific location. • Request restrictions on the use or sharing of their information. • Receive the UConn Health “Notice of Privacy Practices” (NPP) outlining these rights.
Patient Right to an Accounting of Disclosures • Upon request, patients must be provided a list of all PHI disclosures made outside of the institution including: • disclosures of which the patient may not otherwise be aware. • improper disclosures resulting in a breach. • An accounting of such disclosures is maintained in the patient’s medical record on the “Protected Health Information Disclosure Tracking Log”
Patient Right to an Accounting of Disclosures(continued) • Disclosures exemptfrom the accounting requirement include: • those for treatment, payment or healthcare operations (TPO). • those directed to the patient or in response to the patient’s authorization. Refer to UCHC policy # 2003-18: Accounting of Disclosures of Protected Health Information to Patients and to the Protected Health Information Disclosure Tracking Log
Knowledge Check Any access, use or disclosure of a patient’s PHI that is determined to be a breach must be logged on the “Protected Health Information Disclosure Tracking Log”. True False
Patient Right to View His/Her Record • Patients have a right to view their records upon request. • Only written requests using the UCHC “Request to View Record/Notification of Approval or Denial to View” form are accepted. • Requests are reviewed with the patient’s attending of record to determine whether the request will be honored. • UConn Health and the physician will provide a written response to the patient regarding any request denial. • Original records are the property of UConn Health and may not be removed from the facility except by court order. Refer to UCHC policy #2003-17-A: Patient Right to View His/Her Medical and/or Billing Record
Patient Right to Obtain a Copy of His/Her Medical/Dental or Billing Records • Patients also have the right to request copies of their PHI in any form they choose or is mutually agreed upon provided PHI is readily producible in that format. • If PHI is maintained electronically UConn Health is required to provide an electronic copy at the patient’s request. • However, UConn Health is not required to provide unlimited format choices. Refer to UCHC policy #2003-17-B: Patient Right to Copy His/Her Medical and/or Billing Record
Patient Right to Send Record Copies to Others • Patients may also request that copies of their medical records be sent to other designated individuals. • Requests must be made in writing, clearly identifying the designated recipient and where to send the copy. • Records may be provided in an unencrypted form if the patient understands the risk and agrees in writing. • It is recommended that records not be sent via email.
Patient Requests for Record Copies • Patient requests for record copies must be addressed (granted or denied) within 30 days. • A one time 30 day extension is allowed with patient notification. • A reasonable, cost-based fee may be charged. • Requests for record copies may be denied under certain circumstances. • Patients have a right to appeal a denial.
Patient Right to Amend His/Her Medical Record • Patients can request corrections be made to any inaccurate or incomplete information in their medical, research, or billing records. • Only written requests are accepted. • A request to amend may be denied. • The patient may write a disagreement to which UConn Health may write a rebuttal. • Copies of all such documentation are maintained in the patient’s record. Refer to UCHC policy #2003-17-C: Patient Right to Amend Their Medical and/or Billing Record and Request for Amendment of Health Informationform.
Patient Right to Confidential Communications • UConn Health must honor all patient requests to receive communications of PHI from UConn Health by alternative means or at alternative locations. • Follow the steps outlined in UCHC policy #2003-15 Patient Right to Request Confidential Communications
Patient Right to Restrict Disclosures to Health Care Plans • UConn Health must honor patient requests to restrict certain disclosures of PHI to health plans if: • the disclosure is to carry out payment or healthcare operations. • the disclosure is not required by law. • the PHI pertains solely to a health care item or service for which the patient or other person has paid out of pocket and in full.
Notice of Privacy Practices (NPP) • The Notice of Privacy Practices is UConn Health’s pledge to patients to keep their medical, dental and billing information private. • The NPP describes to patients: • How their PHI is used and disclosed. • Their rights regarding health information. • How to exercise those rights.
Notice of Privacy Practices (NPP) • The NPP must be: • provided to all patients (excluding inmate/patients) • acknowledged by anyone receiving the notice. • posted in a prominent location. • available on UConn Health’s website. Refer to UCHC policy # 2003-13: Permission to Treat/Assignment of Benefits/Authorization to Release Medical/Dental Records/Acknowledgment of Receipt: Notice of Privacy Practices (Privacy and Security of Protected Health Information (PHI)
Sharing PHI Without Authorization: Remember “TPO” • In order to access, use or share PHI withouta signed patient authorization the purpose must be related to: • Treatment within and between healthcare providers across UCHC or in the community. • Payment for treatment • Operations i.e. normal UConn Health business activities: • Quality improvement • Training • Audit/legal/compliance reviews • Evaluating caregiver performance
Sharing PHI without Authorization • Other than TPO, Protected Health Information (PHI) may be shared without a signed authorization for the following reasons: • Public Health Activities • Preventing or controlling disease • Reporting abuse, neglect or domestic violence • FDA-regulated product safety • To provide information to coroners, medical examiners, or funeral directors. Refer to UCHC policy #2003-27: Use and Disclosure of PHI Where Authorization or Opportunity for Patient to Agree or Object is NOT Required
Sharing PHI without Authorization • Reasons other than TPO (continued): • Organ donation. • Health oversight activities: • Audits • Civil, administrative, or criminal investigations • Inspections • Court order or subpoena. • For law enforcement purposes related to crimes, provided certain criteria are met.
Disclosure of Patient Information to the Public and Community Clergy Members • Unless a patient objects, UConn Health may disclose that patient’s location (hospital room and telephone number) to persons that inquire about that patient by name. • Members of the clergy will also be provided with a patient’s religious affiliation unless the patient objects. Refer to UCHC policy #2003-26: Directory Information: Disclosure of a Patient’s Information
Communicating with a Patient’s Family and Friends • PHI should never be shared with a patient’s family member, friend or others involved in a patient’s care unless the patient has given permission to do so. • A patient can indicate during a discussion with caregivers that a particular person may be included in that discussion of medical and/or financial information. • If a patient is unable to communicate his/her wishes for any reason, UConn Health may determine whether a particular disclosure is in the best interest of the patient. Refer to policy # 2003-25: Use and Disclosure Involving Family and Friends
Knowledge Check Maria is a dental student and has assisted with a procedure in the dental surgery center. The patient’s neighbor has arrived to give the patient a ride home after the procedure and is waiting with the patient. Maria needs to review some information with the patient related to the procedure and follow-up recommendationsbut she isn’t sure if the patient has given permission to communicate with her neighbor. What should she do? Review the information privately with the neighbor first since she is taking the patient home. Review the information with the patient and neighbor together since the patient must approve if the neighbor is in the room. Ask the patient’s permission to review the information in front of her neighbor. Discharge the patient and plan to review the information during her next clinic appointment.
Disclosures Regarding Decedents • Care providers may disclose PHI to a family member or person who was involved in the care of a deceased patient unless otherwise expressed by the decedent while he or she was alive. • Use your knowledge or best judgment regarding disclosure. • HIPAA will no longer apply to individuals deceased more than 50 years.
When is a patient authorization required? • In general, if the reason for access, use, or disclosure of information is not related to “TPO” you must have a signed patient authorization. • Never access, use or disclose PHI without a patient’s consent, if indicated. Refer to UCHC policy # 2003-16: Authorization for Release of Informationand associated authorization form.
Patient Authorizations • A valid authorization includes specific requirements: • PHI to be released • Who may release the information • Who may receive the information • Purpose of the disclosure • Expiration date • Signature of patient or patient representative • Use only UConn Health HIPAA-compliant authorization forms. • A patient may withdraw authorization at any time except to the extent that UConn Health has already used or released information under a valid authorization. Refer to policy # 2003-16: Authorization for Release of Information.
Knowledge Check A signed patient authorization gives UCHC permission to disclose any and all parts of a patient record. True False
Minimum Necessary Rule • Except for treatment purposes,limit access, use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. • Access, use or disclose: • OnlyPHI needed to complete an assigned task in your student role and • Only when the specific PHI is necessary to perform that task. • Unless you need certain patient information to carry out your student responsibilities, do not access that information. Refer to policy # 2003-21: Minimum Necessary Data
Students’ friends and family: Access and Disclosure • Unless required for a specific treatment-related task, students may not: • Access family’s or friends’ information, even if they ask you to do so. • Access supervisors’ or other residents’/students’ information, even if they ask you to do so. • Students may not disclose patient information to anyone that is not authorized to have the PHI including: • Family • Friends/neighbors • Fellow students • UConn Health policy prohibits students who are also patients from accessing their own medical information for personal reasons.
Verifying Information Requests • Before sharing any PHI, UConn Health must verify: • The identity of the individual requesting the information. • That this individual has the right to obtain the information requested. • If a patient calls to obtain information about him/herself, UConn Health will verify the individual’s identity using information available in the Patient Registration system. • In the event that an individual’s identity and/or legal authority cannot be verified, UConn Health staff members will not disclose the PHI and will report the request to their immediate supervisor. Refer to policy # 2003-20: Verification of Individuals or Entities Requesting Disclosure of Protected Health Information
Verbal Exchanges Involving PHI • Discuss PHI only with those that have a “need to know” for specific assigned job functions. • Be aware of your surroundings when discussing patient information. • Move to a private area if needed. • Avoid discussions involving PHI in areas where you may be overheard such as cafeterias, hallways, elevators, patient waiting rooms etc.
Knowledge Check While eating lunch in the cafeteria, you overhear a group of students and residents discussing a patient they saw on rounds that morning. You hear them reviewing the patient’s diagnosis, prognosis and treatment plan. You notice other employees as well as visitors at nearby tables. What should you do? Move to another table so you won’t hear the discussion. Stare at the group in hopes that they get the message to end their conversation. Politely remind them that they should not discuss patients in a public area. Sit down and join them since the discussion sounds really interesting.
Telephone/Voicemail/Answering Machine Disclosure of PHI • Never leave information containing PHI over the phone with someone other than the patient. • Leave only generic information on voicemail or answering machines. • Never leave any PHI, including indication of the services being performed or the service provider. Refer to UCHC policy # 2003-24: Telephone/Voicemail/Answering Machine Disclosure of PHI
Knowledge Check Sarah works in the Cancer Center. At the request of her patient, she calls the patient to report her recent lab results. The patient has indicated on the UConn Health “Permission to Communicate” form that information may be shared with her husband, who she has identified by name. When Sarah calls the patient’s home, she reaches the patient’s sister who tells her that the patient is not at home. What should Sarah do? Hang up and call back at another time. Tell the patient’s sister that she is calling from UConn Health and ask that the patient return her call. Tell the patient’s sister that she is calling from the UConn Health Cancer Center with lab results and ask that the patient call her back. Ask the sister to get a pen and paper to write down the results to give to the patient.