HIPAA Awareness Training Self-study training module
HIPAA Training Module This module features the following lessons: • What is HIPAA? • Why do I need to take this training? • What are IURA’s policies and procedures regarding patient information and confidentiality • FAQ’s – Frequently asked questions
HIPAA Recently there has been a great deal of talk about HIPAA and what it means to healthcare. Many people have suggested that the changes that HIPAA brings to healthcare will be monumental.
HIPAA Overview • Privacy = Confidentiality • Compliance with the Privacy Rules requires cooperation among the medical center affiliates (IUSM, Clarian, VA, Wishard, practice plans, School of Nursing, all must comply) • Everyone at IUSM must comply
What is HIPAA? HIPAA stands for: Health Insurance Portability and Accountability Act of 1996 No, it’s not short for hippopotamus!
What is HIPAA? HIPAA is a federal regulation that most healthcare providers have to comply with that protects the privacy, security and confidentiality of a patient’s health information.
What is HIPAA? With HIPAA, the government mandates that IURA protect the privacy, security and confidentiality of our patients.
What is HIPAA? What is protected? • Protected health information (PHI) is: • Individually identifiable health information • Identifies the individual where there is a reasonable basis to believe that the information can be used to identify the individual (ex: name, social security number, demographic information) • Transmitted or maintained in any form or medium
What is HIPAA? De-Identified Information • PHI is de-identified by removing, coding, encryption, or otherwise eliminating or concealing individually identifiable information • Regulations do not apply to de-identified information • May be used or disclosed freely as long as the code to re-identify the information is not accessible
HIPAA HIPAA requires that all health care organizations have a privacy officer. Our Privacy Officer is Marcia Gonzales in the IUSM Office of Compliance Services 278-4891 * The HIPAA liaison for the Radiology Department is Rita McFarland UH 0663C 274-4328
HIPAA Their roles are to provide in house reference and guidance for the processes established to comply with the HIPAA privacy regulations.
HIPAA – Why is training necessary? The Privacy, Security and Confidentiality of patient information is important to IURA. …and it’s important that you know the rules regarding patient confidentiality.
HIPAA – Why is training necessary? Confidentiality is so important, that IURA requires that: • All employees and workforce members be informed of their responsibility to protect confidentiality. • Proven violation of the confidentiality of patient information shall include immediate disciplinary action up to and including termination.
HIPAA – Policy What is Indiana University Radiology Associate’s policy? • Our policy states that patient information will be kept private and confidential • Our policy also guides us on who should have access to patient information • Direct access to patient information shall only be permitted to those employees who have a “need to know” to perform their job functions
HIPAA - Policy What patient information does IURA require me to keep confidential? • Demographic information • Examples: Name, social security number, date of birth, address, etc. • Information about injury, illness or condition – including symptoms, diagnosis or treatment • Conversations between the patient and health care workers
HIPAA - Policy In regard to HIPAA: The “need to know” is defined as Minimum Necessary Information.
HIPAA - Policy When do I “need to know”? “Need to Know” is when you need information to: • Document the patient’s treatment • Facilitate communication between physicians and other professionals contributing to the patient’s care • Provide continuity of patient care • Provide a basis for review, study, and evaluation of patient care processes • Provide clinical data for approved research, study, and education; and for legitimate business purposes.
HIPAA - Policy What are legitimate business purposes? Legitimate business purposes include provision of: • Statistical data for decision making and planning • Data to third parties as specified by law (e.g. communicable diseases, coroner’s cases, burns, cancer registry reporting, etc.) • Documentation for billing and insurance claims processing • Appropriate access to medical records and data as required for licensing and accreditation purposes.
HIPAA - Policy Our policy also guides us on when and where we can discuss patient information. • Discuss patient information privately; never in elevators, lobbies, cafeterias, or corridors • Make sure requisitions, forms, and computer screens with patient names and information are not easily viewed by others • Dispose of unnecessary patient information in proper receptacles for shredding, not ordinary trash bins
HIPAA And remember…. Co-workers can be patients, too. They have every right to expect the same level of privacy… Just like you do whenever you’re a patient!
HIPAA HOW do I protect the privacy of my co-workers? • Take special care to respect the privacy of co-workers and colleagues who are patients. • Do NOT discuss the health care services of your co-workers with anyone who is not directly involved in their care. • Do NOT ask co-workers why they are a patient, or their reasons for accessing health services. • Do NOT access their private health information unless it is for patient care purposes
HIPAA – Privacy, Security, and Confidentiality There will be a few changes brought about by HIPAA. These are summarized below: • We are required to provide a Notice of Privacy Practices to all patients that describes their rights over their PHI • Patients will sign an acknowledgement form stating that they received a copy of the Privacy Notice • We are required to make a “good faith effort” to obtain this acknowledgement (Verbal acknowledgement is not enough, must be in writing)
HIPAA – Privacy, Security, and Confidentiality • There will be a formal process for patients to: • Request copies of their medical record • Obtain a list of who has accessed their information • Make amendments to their medical records • Complain to our HIPAA liaison or privacy officer about our privacy practices
Security Safeguards Passwords-don’t share and don’t post Workstations-secure your workstation, use screen savers, lock your computer if unattended, log off when not in use, log off at night E-mail-avoid sending sensitive/confidential patient information, Outlook is not currently encrypted Removable media (disks, CDs,)-lock up and store, dispose/destroy properly Internet-VPN, firewalls, monitor and audit usage, utilize virus protection
FAQ’s The following pages provide answers to some Frequently Asked Questions about HIPAA. Read them to learn more about how HIPAA will (and won’t) change the way you work…..
Access to Information What happens when the patient wants to know what is in his/her medical record? • Patients have the right to access and obtain a copy of their medical or billing information • We must act upon their request within 30 days • We may deny a patient’s request in some circumstances
Access to Information Does the Privacy Rule require us to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard? • No, the Privacy Rule does not require these types of structural changes • However, we must have in place appropriate administrative, technical and physical safeguards to protect the privacy of health information
Access to Information “Reasonable safeguards” mean that we must make reasonable efforts to prevent uses and disclosures not permitted by the rule.
Access to Information Does HIPAA force us to isolate X-ray view boxes? • No, HIPAA standards do not require that we take this specific measure. However, we must take reasonable precautions to prevent inadvertent or unnecessary disclosures. While the Privacy Rule does not require that we totally isolate view boxes, it does require that we take reasonable precautions to protect X-rays from being accessible to the public.
Access to Information If health care providers engage in confidential conversations with other providers or patients, have they violated HIPAA if there is a possibility that they could be overheard? • As long as reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart, etc.), health care staff may discuss a patient’s condition at nurse’s stations, over the phone with the patient, a provider, or a family member, or during training rounds in an academic or training institution.
Access to Information Can we FAX patient medical information to a physician’s office? • The Privacy Rule permits the disclosure of protected health information to another health care provider for treatment purposes. This can be done by fax or other means. Health care providers must have in place reasonable safeguards to protect the privacy of the protected health information such as confirming that the fax number to be used is correct and placing fax machines in secure locations to prevent unauthorized access to the information.
Access to Information Can we use patient sign-in sheets or call out the names of patients in their waiting rooms? • Yes, patient sign-in sheets and calling out names in waiting rooms may be used as long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain “incidental disclosures” that occur as a by-product of an otherwise permitted disclosure-for example, the disclosure to other patients in a waiting room the identity of the person whose name is called; however, it is only permitted if reasonable and appropriate safeguards are utilized to limit confidential patient information such as the diagnosis or history of the patient.
Business Associates What happens when the radiologist dictates a report that is transcribed by an outside transcription agency? • The transcription company is a business associate because they are interacting with health information and performing the service on our behalf. A Business Associate Agreement with the company that meets HIPAA standards is required.
Complaints Can patients complain to us? • Patients have always had the right to complain to us or any of our state, federal, or accrediting bodies. • Under HIPAA, we have to tell patients that they can complain to us, or the Department of Health and Human Services, Office of Civil Rights. This is outlined in our Notice of Privacy Practices. • If a patient wants to file a complaint with IURA, contact the HIPAA liaison.
Complaints If a patient wants to file a complaint with the Department of Health and Human Services, it must meet the following requirements: • A complaint must be filed in writing • The person must name the facility where the violation occurred and describe what happened • The complaint must be filed within 180 days of occurrence
Complaints Can employees report possible violations of the privacy rule to us? • Employees are encouraged to report possible violations of the privacy rule to us. If there’s a problem, we want to fix it. Employees should feel comfortable to know that we will not take any retaliatory action when employees file complaints • Employees should submit their complaint to the Radiology HIPAA Liaison • Employees may also use the IU Compliance Notification Line (877) 526-6759
Amendment to Record What if the patient disagrees with the information in his medical record? • An individual has a right to request an amendment • We can require a written request with reason for the change • We have 60 days to act • We must notify the individual if the amendment was accepted and inform relevant persons identified by the individual • We can never delete the original information-the amendment allows the patient to supply a written supplement to their medical record
Amendment to Record Can we deny the patient’s request to amend his medical record? • We may deny the request if the health information: • Was not created by us • Is not part of their medical or billing records • Was not available for inspection • Is accurate and complete
Amendment to Record What happens if we deny the request for amendment? • We must provide timely, written notice to the individual • The notice must explain the reason for denial, the right to submit a written statement of disagreement, and the individual’s right to complain to us or directly to the government • We may prepare a rebuttal statement and give a copy to the individual • We must include request and denial with future disclosures
Authorization What happens if the patient’s spouse wants a copy of his/her record? • PATIENT authorization is REQUIRED • Valid authorization must be in writing
Consent What happens when a patient comes into our facilities after April 14, 2003? • Healthcare Providers are required to have a Privacy Notice • At registration, patients will be given a copy of IURA’s Notice of Privacy Practices • There will be a written acknowledgement from the patient that they’ve been given a copy of this notice • We are also required to post the Privacy Notice in the waiting rooms and on our website
Don’t see the answer to your question here? Try looking at the HIPAA website: http://www.hhs.gov/ocr/hipaa/privacy.html http://www.hhs.gov/ocr/hipaa/whatsnew.html http://www.hhs.gov/ocr/index.html
Don’t see the answer to your question here? Or contact the following: • IURA HIPAA Liaison-Rita McFarland • Phone number: 274-4328 • E-mail: email@example.com • Office of Compliance Services • Phone number (317) 278-4891 • Website: www.medicine.iu.edu/~wecomply • IU Compliance Notification Line • Phone number (877) 526-6759
Conclusion • After reviewing the study packet, complete the attached short quiz to receive credit for this training. Please print out the completed quiz and training form and forward to: Rita McFarland Radiology Department UH 0663C