1 / 30

HIPAA Privacy Keys to Success

HIPAA Privacy Keys to Success. Education for Students Updated February 2010. What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title II – Administrative Simplification It’s a federal law HIPAA is mandatory, penalties for failure to comply. Purpose:

taran
Télécharger la présentation

HIPAA Privacy Keys to Success

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA PrivacyKeys to Success Education for Students Updated February 2010 HIPAA Job Specific Education

  2. What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title II – Administrative Simplification It’s a federal law HIPAA is mandatory, penalties for failure to comply Purpose: Protect health insurance coverage, improve access to healthcare Reduce fraud and abuse Improve quality of healthcare in general Reduce healthcare administrative costs (electronic transactions) HIPAA and Its Purpose HIPAA Job Specific Education

  3. What is HITECH? Health Information Technology for Economic and Clinical Health Act Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) It’s a federal law Purpose: Makes massive changes to privacy and security laws Applies to covered entities and business associates Creates a nationwide electronic health record Increases penalties for privacy and security violations HITECH and Its Purpose HIPAA Job Specific Education

  4. Civil Penalties for Non-compliance* *As of 2/17/09 HIPAA Job Specific Education

  5. Criminal Penalties for Non-compliance • These penalties can apply to any “person” , including students. • The penalties are higher for actions designed to generate monetary gain • up to $50,000 and one year in prison for obtaining or disclosing protected health information • up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses" • up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm HIPAA Job Specific Education

  6. Facility Privacy Official • The name of the facility’s FPO is Debra Hasling. • The FPO is Responsible for: • Privacy Program • Privacy Rights of patients • Requests for Privacy Restrictions • Facilitating the training and education of staff HIPAA Job Specific Education

  7. HIPAA Terminology • HIPAA: Health Insurance Portability and Accountability Act • HITECH: Health Information Technology for Economic and Clinical Health Act • PHI: Protected Health Information • CE: Covered Entity (Hospital) • ACE: Affiliated Covered Entity (Common ownership) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement) • DRS: Designated Record Set (medical record and billing record) • AOD: Accounting of Disclosures (patient’s right to receive) • Directory: Hospital census list used by volunteers and operators with name and room HIPAA Job Specific Education

  8. How will HIPAA affect you? • Coversheets with confidential statement need to be used on all external faxes. • Screens need to be placed out of public view when possible • Patient charts need to be placed in secure area • PHI needs to be placed in Shred-It containers for disposal • Patient family members will be given a passcode for information other than directory releases • Patient information should only be accessed if there is a need to know HIPAA Job Specific Education

  9. NEED TO KNOW Any person (including students) who have access to the facility or Company systems or applications may only view information contained in that system when there is a NEED TO KNOW for purposes of treatment, payment or operations. HIPAA Job Specific Education

  10. Accessing Your Medical Record You may never access your own medical record via the Meditech system. You may access your own medical record by following the procedures as required for any patient. HIPAA Job Specific Education

  11. MONITORING NEED TO KNOW HCA’s IT&S Department monitors all individuals who access its medical records through ongoing “Appropriate Access” audits. When IT&S determines a student may have accessed a medical record without the NEED TO KNOW, IT&S will contact that student’s supervisor. HIPAA Job Specific Education

  12. How will HIPAA affect you? • Registration will give out a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy. • Patients will be given the option to “opt out” of our directory. • Patients have a right to a copy of their medical record • Authorizations need to be obtained from patient to release information for reasons other than for treatment, payment or healthcare operations (TPO) HIPAA Job Specific Education

  13. Name Address including street, city, county, zip code and equivalent geocodes Names of relatives Name of employers Birth date Telephone numbers Fax Numbers Electronic e-mail addresses Social Security Number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web Universal Resource Locator (URL) Internet Protocol (IP) address number Finger or voice prints Photographic images Any other unique identifying number, characteristic, code What is Protected by HIPAA (PHI)? Any one of the following is PHI. HIPAA Job Specific Education

  14. What is a Covered Entity (CE)? • Health plans, Health care clearinghouses, and Health care providers that transmit electronically for billing • Examples • Hospitals • Physician Practices • Insurance companies • Ambulance Transportation Services • Hospice • Home Health HIPAA Job Specific Education

  15. What does that mean to me? • Information may be shared without patient authorization as it relates to treatment, payment or hospital operations (TPO) • When in in doubt… check with the Charge Nurse or Department Director prior to sharing information without patient authorization. HIPAA Job Specific Education

  16. Disclosing PHI to Family Members and Friends Who Call the Unit • Patients are assigned a four-digit passcode. Family members and friends need this passcode to be able to get non-directory information • Distribution of the passcode is the responsibility of the patient HIPAA Job Specific Education

  17. Verification of Requestors • When a Covered Entity makes a Request via phone they will need: • Patient SS# + DOBand one of the following: • Account number, street address, MR#, birth certificate, insurance card or policy number • Scenario • An unknown physician calling from cell phone must have the patient SS# + DOB and one of the above prior to information being provided to that physician. HIPAA Job Specific Education

  18. External Faxing Guidelines • Limit when possible • Verify fax number • Fax machine must be located in secure location • ALWAYSuse cover sheet with confidentiality statement for transmittals • Highly sensitive information should NEVER be faxed (HIV status, abuse records, etc.) HIPAA Job Specific Education

  19. Patient’s Right to Access • Patients may request a copy or inspection of their medical record. • BUT, students should not provide a copy to the patient nor allow the patient to inspect their medical record. • Students should direct the patient’s request to Charge Nurse for follow up. HIPAA Job Specific Education

  20. Patient’s Right to Opt out of Directory • A patient can opt out of directory at anytime but this will most likely happen during the admission process. • IF A PATIENT OPTS OUT OF THE DIRECTORY… you may not acknowledge the patient is in the facility AND • You may not give information about the patient to family and friends unless they provide the 4-digit passcode. HIPAA Job Specific Education

  21. Right to Privacy Restrictions • Patients have the right to request a privacy restriction of their PHI • But, NEVER agree to a patient requested restriction • All requests must be made in writing and given to the FPO to make a decision on • NO request is so small that it should not be routed to the FPO HIPAA Job Specific Education

  22. Patient Privacy Complaints • ALL privacycomplaints must be routed to the FPO • No privacy complaint is too small or insignificant HIPAA Job Specific Education

  23. Notice of Privacy Practices • Patient will receive a Notice of Privacy Practices (NOPP) upon each registration • Notice of Privacy Practices outlines patient rights • Right to access • Right to amend • Confidential Communication • Right to Privacy Restriction • Right to Opt out of Directory • Ask registration for a copy of the NOPP HIPAA Job Specific Education

  24. Breach Notification • Beginning February 2010…HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: • To the patient (the facility is required to send a letter to the patient). • To the Department of Health and Human Services (the facility notifies DHHS online). • To the media when the breach involves more than 500 individuals in the same jurisdiction. HIPAA Job Specific Education

  25. Security Compliance TAKE IT SERIOUSLY • Log off terminals when not in use. • Computer screens should be positioned so information (PHI) is not readable by the public • Printers should be in protected locations so that printed information is not accessible by the public. • PHI must be disposed using SHRED –IT bins. HIPAA Job Specific Education

  26. Common Exposures To Avoid • Discussions of patient information in public places such as elevators, hallways and cafeterias • Printed or electronic information left in public view (e.g., charts left on counters) • PHI in regular trash • Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment HIPAA Job Specific Education

  27. SOCIAL NETWORKING NEVER discuss patients or patient information (even if you think it is unidentifiable) on a social network site, such as Face Book or Twitter. HIPAA Job Specific Education

  28. Disciplinary Action and/or School Notification 3 levels of violations with disciplinary action and/or notification to the school: • Accidental disclosure of PHI may result in an oral or written warning. • Purposeful violation of privacy policy may result in notification to school and dismissal from hospital’s student program. • Purposeful violation of privacy policy with associated potential for patient harm will result in notification to school and dismissal from the hospital’s student program. HIPAA Job Specific Education

  29. Tracking Your Training Federal law requires each HCA facility to document that you have successfully completed HIPAA training and to track that documentation for six (6) years. HIPAA Job Specific Education

  30. STOP!! STOP!! STOP!! STOP!! Your training is NOT complete!! HIPAA Job Specific Education • You must successfully pass the HIPAA Quiz; • Receive a Certificate of Completion from the facility; & • Ensure your facility has a copy of both your Quiz and Certificate for their records. Please keep a copy of your Quiz and the Certificate for your records

More Related