Protecting Patient Privacy Health Insurance Portability and Accountability Act of 1996 HIPAA Revised 1/6/12
Objectives • After completing this program you will be able to: • Discuss the general concepts of HIPAA guidelines • Adapt HIPAA guidelines for the various settings in which you might practice • Discuss patient/client rights regarding his/her health information
Objectives • Differentiate individuals who have a ‘need to know’ from those who do not. This determines those with whom you can discuss protected health information • Discuss application of HIPAA to your role • List legal and professional consequences of violating HIPAA rule
HIPAA • Health Insurance Portability and Accountability Act • Federal law passed by Congress in 1996 • Regulations promulgated by the Dept of Health and Human Services • Guidelines implemented in April, 2003 What part do you play in implementing HIPAA? How does this law affect your role?
HIPAA regulations were designed to: • Protect individuals’ rights to privacy and confidentiality and • Assure the security of electronic transfer of personal information • The first…protecting privacy and confidentiality rights, is the subject of this instructional program.
HIPAA applies to us all -- in all settings. That means at work, at home, on the bus, as well as the hospitals and clinics.
Why HIPAA? • Genetic advancements • as more is known about our genetic predisposition to diseases, HIPAA will ensure that, for example, an individual is not denied insurance because the company knows that she may eventually develop Multiple Sclerosis
Why HIPAA? • Marketing • as information is more easily captured concerning, for example, the prescriptions we purchase, HIPAA is designed to prevent marketing of unsolicited products or services based on harvested marketing data
Why HIPAA? • Technology • as information is quickly and sometimes loosely moved around networks, HIPAA standards will hold violators accountable for accidental or intentional ‘interception’ of protected health information (PHI)
Why HIPAA? • An Atlanta truck driver lost his job after his employer learned from his insurance company that he had sought treatment for a drinking problem. • The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission. • Tammy Wynette’s medical records were sold to NationalEnquirer by a hospital employee for $2,610.
When and how often do I need to be certified? • The law requires that we comply with the regulations and adhere to agency guidelines. • The ‘certificate of completion’ you will receive upon the completion of this program will be valid for one year. • Each fieldwork (FW) site has their own requirements. It is your responsibility to know and comply with the HIPAA requirements of your FW site.
What Objectives do the Privacy Regulations Accomplish for Patients? • Give patients more control over their health information. • Set boundaries on the use and disclosure of health records. • Establish appropriate safeguards for all people who participate in or are associated with the provision of healthcare to ensure that they honor patients’ rights to privacy of their PHI.
What Objectives do the Privacy Regulations Accomplish for Patients? • Hold violators accountable through civil and criminal penalties. • Strike a balance when public responsibility requires disclosure of some forms of data--for example, to protect public health.
With HIPAA we now have new terms and abbreviations to learn!! • Protected Health Information (PHI) or Protected Medical Information (PMI) - This is any data about the patient that would tend to identify the individual
Protected Health Information - (PHI) • Includes demographic information that identifies an individual and, • Is created or received by a health care provider, health plan, employer, or health care clearinghouse. • Relates to the past, present, or future physical or mental health or condition of an individual. • Describes the past, present or future payment for the provision of health care to an individual.
Examples of PHI include: • Name • Address • Social Security number • Medical record number • Date of birth • Telephone number • Photos • Fingerprints • Diagnosis • Fax number • Lab results
With HIPAA we now have new terms and abbreviations to learn!! • Privacy Officer (PO) - Each facility will have an employee who is responsible for implementing and enforcing this law. Some may have one over a multi-facility network, others one at each site. As an occupational therapy student this individual (after your fieldwork educator) could be your point of information regarding HIPAA.
New terms and abbreviations • Covered Entity (CE) - This includes any health plan, healthcare provider, agency that processes claims, and any company that subcontracts with them are covered by this law.
New terms and abbreviations • Release/Disclosure - These are terms used in describing the release of PHI to other CEs for TPO, treatment, payment, or health care operations. • Accounting of Disclosure (AOD) - The patient has the right to have an AOD for his PHI or PMI.
New terms and abbreviations • Directory -This is CE’s census or list of patients used by volunteers and operators to direct visitors. Different agencies may have other terms they use to communicate HIPAA policies. You will need to keep alert to these instances to comply with the spirit of the law.
New terms and abbreviations • Business Associate (BA): A person (vendor) who performs or assists a provider or health plan in the performance of: • A function or activity involving the use or disclosure of PHI, or • Any other function or activity regulated by the HIPAA Privacy Rule
Business Associates • Examples of business associates: • Transcription services • Physicians • Utilization review contractors • Device manufacturers • Accreditation organizations
Who is not a business associate • Most delivery services • The long distance telephone supplier • Housekeeping services
The next few slides will present the basic principles of HIPAA as it applies to the student role: • The seven rights in the HIPAA privacy guidelines • Using equipment--computers, printers, fax, and similar machines to transmit patient data • Identifying patients/clients PHI in school papers
The next few slides will present the basic principles of HIPAA as it applies to the student role: • Discarding or destroying papers containing patient PHI • Communicating privacy questions/concerns in the agency • Describing the consequences of violating HIPAA guidelines
Seven Patient Rights Regarding Privacy of PHI (Protected Health Information) Individuals have the right to: 1. Receive notice of an agency’s privacy practices. 2. Know that an agency will use its PHI ONLY for treatment, payment, operations (TPO), certain other permitted uses and uses as required by law.
Seven Patient Rights Regarding Privacy of PHI (Protected Health Information) 3. Consent to and control the use and disclosure of their PHI. 4. Access their protected health information (PHI), except for psychotherapy notes (they might be charged for copies)
Seven Patient Rights Regarding Privacy of PHI (Protected Health Information) 5. Request amendment or addendum to their PHI (not always granted) 6. Receive accountings of disclosures 7. File privacy complaints to agency officer
HIPAA Restricts Sharing PHI Personal information cannot be released to individuals or companies interested in marketing ventures, without the patient’s written permission. For example: • Names of patients on antihypertensive drugs cannot be released to a company marketing nutritional products to lower blood pressure. • Names and addresses of pregnant women cannot be provided to infant formula companies. • Contact information of previous patients cannot be used to raise money for a hospital building campaign.
How do we assure patients’ rights to privacy and confidentiality?
Who has Access to PHI?The ‘Need-to-Know’ Principle PHI should be shared with as few individuals as needed to ensure patient care and then only to the extent demanded by the individual’s role. For example, the nursing assistant ‘needs to know’ only the facts concerning the patient’s current admission.
Protecting your patient’s PHI • Take all reasonable steps to make sure that individuals without the ‘need to know’ do not overhear conversations about PHI. • DO NOT conduct discussion about PHI in elevators or cafeterias. • Do not let others see your computer screen while you are working. Be sure to log out when done with any computer file.
Protecting your patient’s PHI When preparing care plans or other course required documents take extra care to: • not identify the patient/client. Do not use initials. • use other demographic data only to the extent necessary to identify the patient and his/her needs to the instructor. • protect the computer screen, PDA, clip board, or notes from other individuals who don’t have a ‘need to know’ • protect your printer output from others who do not have a ‘need to know’ • protect your portable drive/CD-ROM/PDA from loss • consider using the FW site’s network to save your documents, if available
Protecting your patients’ PHI In your role, you are NOT to photoduplicate or fax a patient’s documents in the process of working with your patient’s PHI. As an intern of the clinical site you must use the site’s security procedures to transmit PHI.
Ways to Protect Confidentiality • Minimum necessary standard: • Health care provided must make a reasonable effort to disclose or use the minimum necessary amount of protected health information( PHI). • Clinical staff are allowed to look at patient’s entire record and share information freely with other clinicians. • Do not pass-on any PHI.
Ways to Protect Patient Privacy • Close patient room doors when discussing treatments and administering procedures. • Close curtains and speak softly in semi-private rooms when discussing treatments and administering procedures. • Avoid discussions about patients in elevators and cafeteria lines.
Ways To Protect……….. • Do not leave messages regarding patient conditions or test results on answering machines or with anyone, other than the patient. • Avoid paging patients using information that could reveal their health issues.
Maintaining Records • Do not leave it unattended in an area where others can see it. • When finished using PHI return it to its appropriate location. • When finished looking at electronic PHI log off the system. • Do not leave information visible on an unattended computer monitor.
Maintaining Records….. • When discarding paper PHI make sure the information is shredded in a secure bin. • Leaving paper patient information intact in a wastebasket could lead to a privacy breach.
Destroying PHI/PMI DO NOT put notes with PHI/PMI in the trash or paper recycle cans. A paper shredder is available for these materials. Ask your FEW about its location.
Helpful Hints to use When Working With Computers • Review your organization’s policies on using computers • Do not use work e-mail for personal messages • Never share or open attached files from an unknown source
Helpful Hints….. • Never send confidential PHI in an e-mail unless your facility has a policy that allows it and mechanisms in place to protect the information • Always double-check the address line of an e-mail before you send it • Never share your password or log on to the system under someone else’s password
Helpful Hints…. • Always keep computer screens pointing away from the public • Never remove computer equipment, disks, or software from the facility unless you have permission
Exceptions to the Rule • Laws that require providers to report certain communicable diseases to state health agencies when patients have these diseases, even if the patient does not want the information reported. • The Food and Drug Administration requires providers to report certain information about medical devices that break or malfunction.
Exceptions .….. • Some states require physicians and other caregivers who suspect child abuse or domestic violence to report it to the police. • Police have the right to request certain information about patients when conducting a criminal investigation.
Exceptions….. • Certain courts have the rights, in some cases, to order providers to release PHI. • Providers must report cases of suspicious deaths or certain injuries, such as gunshot wounds. • Providers report information about patients’ deaths to coroners and funeral directors.
Reporting Abuses • If a patient, a member of the public, or an employee knows that an organization is NOT complying with HIPAA, that person can file a complaint with the Office for Civil Rights (OCR) in the US Department of Health and Human Services. • In your role as a student, report any issues related to HIPAA to your FWE first!!
Consequences of HIPAA Violations In addition to federal laws, failure to comply with HIPAA also violates • Codes of Ethics • Standards of Practice • Policies & Procedures
Potential Consequences of HIPAA Violations Legal consequences • Civil or criminal penalties • Fines plus imprisonment Professional consequences: • Disciplinary action
Enforcement • Breaking HIPAA privacy or security rules can mean either a civil or a criminal sanction: • Knowingly releasing PHI can result in one-year jail sentence and $ 50,000 fine. • Gaining access to PHI under false pretenses can result in a five-year jail sentence and a $ 100,000 fine. • Releasing PHI with harmful intent or selling the information can lead to a 10-year jail sentence and a $ 250,000 fine.