Add to collection(s) Add to saved
  1. Science
  2. Health Science

Intern HIPAA Training

advertisement 
HIPAA Privacy
Keys to Success
Education for Students
Updated February 2010
HIPAA Job Specific Education
1
HIPAA and Its Purpose
What is HIPAA?
 Health Insurance
Portability and
Accountability Act of
1996
 Title II –
Administrative
Simplification
Purpose:
 Protect health insurance
coverage, improve access
to healthcare
 Reduce fraud and abuse
 Improve quality of
healthcare in general
 It’s a federal law
 HIPAA is mandatory,
penalties for failure to
comply
 Reduce healthcare
administrative costs
(electronic transactions)
HIPAA Job Specific Education
2
HITECH and Its Purpose
What is HITECH?
 Health Information
Technology for
Economic and Clinical
Health Act
 Subtitle D of the
American Recovery
and Reinvestment Act
of 2009 (ARRA)
 It’s a federal law
Purpose:
 Makes massive changes to
privacy and security laws
 Applies to covered entities
and business associates
 Creates a nationwide
electronic health record
 Increases penalties for
privacy and security
violations
HIPAA Job Specific Education
3
Civil Penalties for Noncompliance*
Violation Category
Each Violation
All such violations of an
identical provision in a
calendar year
Did Not Know
$100 - $50,000
$1,500,000
Reasonable Cause
$1,000 – $50,000
$1,500,000
Willful Neglect – Corrected
$10,000 - $50,000
$1,500,000
Willful Neglect – Not Corrected
$50,000
$1,500,000
*As of 2/17/09
HIPAA Job Specific Education
4
Criminal Penalties for Noncompliance
• These penalties can apply to any “person” , including
students.
•
The penalties are higher for actions designed to generate monetary gain
 up to $50,000 and one year in prison for obtaining or disclosing
protected health information
 up to $100,000 and up to five years in prison for obtaining
protected health information under "false pretenses"
 up to $250,000 and up to 10 years in prison for obtaining or
disclosing protected health information with the intent to sell,
transfer or use it for commercial advantage, personal gain or
malicious harm
HIPAA Job Specific Education
5
Facility Privacy Official
• The name of the facility’s FPO is Debra
Hasling.
• The FPO is Responsible for:
–
–
–
–
Privacy Program
Privacy Rights of patients
Requests for Privacy Restrictions
Facilitating the training and education of staff
HIPAA Job Specific Education
6
HIPAA Terminology
• HIPAA: Health Insurance Portability and Accountability Act
• HITECH: Health Information Technology for Economic and
Clinical Health Act
• PHI: Protected Health Information
• CE: Covered Entity (Hospital)
• ACE: Affiliated Covered Entity (Common ownership)
OHCA: Organized Health Care Arrangement (The hospital
and medical staff will be considered an Organized Health
Care Arrangement)
• DRS: Designated Record Set (medical record and billing
record)
• AOD: Accounting of Disclosures (patient’s right to receive)
• Directory: Hospital census list used by volunteers and
operators with name and room
HIPAA Job Specific Education
7
How will HIPAA affect you?
• Coversheets with confidential statement need to be used on
all external faxes.
• Screens need to be placed out of public view when
possible
• Patient charts need to be placed in secure area
• PHI needs to be placed in Shred-It containers for disposal
• Patient family members will be given a passcode for
information other than directory releases
• Patient information should only be accessed if there is a
need to know
HIPAA Job Specific Education
8
NEED TO KNOW
• Any person (including students) who have
access to the facility or Company systems
or applications may only view information
contained in that system when there is a
NEED TO KNOW for purposes of
treatment, payment or operations.
HIPAA Job Specific Education
9
Accessing Your Medical Record
• You may never access your own medical
record via the Meditech system.
• You may access your own medical record
by following the procedures as required for
any patient.
HIPAA Job Specific Education
10
MONITORING
NEED TO KNOW
• HCA’s IT&S Department monitors all
individuals who access its medical records
through ongoing “Appropriate Access”
audits.
• When IT&S determines a student may have
accessed a medical record without the
NEED TO KNOW, IT&S will contact that
student’s supervisor.
HIPAA Job Specific Education
11
How will HIPAA affect you?
• Registration will give out a Notice of Privacy Practices
brochure to every patient concerning our patient privacy
protection policy.
• Patients will be given the option to “opt out” of our
directory.
• Patients have a right to a copy of their medical record
• Authorizations need to be obtained from patient to release
information for reasons other than for treatment, payment
or healthcare operations (TPO)
HIPAA Job Specific Education
12
What is Protected by HIPAA
(PHI)? Any one of the following is PHI.
• Name
• Address including street,
•
•
•
•
•
•
•
•
city, county, zip code and
equivalent geocodes
Names of relatives
Name of employers
Birth date
Telephone numbers
Fax Numbers
Electronic e-mail addresses
Social Security Number
Medical record number
• Health plan beneficiary
•
•
•
•
•
•
•
•
number
Account number
Certificate/license number
Any vehicle or other device
serial number
Web Universal Resource
Locator (URL)
Internet Protocol (IP)
address number
Finger or voice prints
Photographic images
Any other unique identifying
number, characteristic, code
HIPAA Job Specific Education
13
What is a Covered Entity
(CE)?
• Health plans, Health care clearinghouses, and Health care
providers that transmit electronically for billing
– Examples
•
•
•
•
•
•
Hospitals
Physician Practices
Insurance companies
Ambulance Transportation Services
Hospice
Home Health
HIPAA Job Specific Education
14
What does that mean to me?
• Information may be shared without patient
authorization as it relates to treatment, payment or
hospital operations (TPO)
• When in in doubt… check with the Charge Nurse
or Department Director prior to sharing
information without patient authorization.
HIPAA Job Specific Education
15
Disclosing PHI to Family
Members and Friends Who
Call the Unit
• Patients are assigned a four-digit passcode. Family
members and friends need this passcode to be able
to get non-directory information
• Distribution of the passcode is the responsibility
of the patient
HIPAA Job Specific Education
16
Verification of Requestors
• When a Covered Entity makes a Request
via phone they will need:
– Patient SS# + DOB and one of the following:
– Account number, street address, MR#, birth
certificate, insurance card or policy number
– Scenario
• An unknown physician calling from cell phone must
have the patient SS# + DOB and one of the above
prior to information being provided to that physician.
HIPAA Job Specific Education
17
External Faxing Guidelines
•
•
•
•
Limit when possible
Verify fax number
Fax machine must be located in secure location
ALWAYS use cover sheet with confidentiality
statement for transmittals
• Highly sensitive information should NEVER be
faxed (HIV status, abuse records, etc.)
HIPAA Job Specific Education
18
Patient’s Right to Access
• Patients may request a copy or inspection of
their medical record.
• BUT, students should not provide a copy to
the patient nor allow the patient to inspect
their medical record.
• Students should direct the patient’s request
to Charge Nurse for follow up.
HIPAA Job Specific Education
19
Patient’s Right to Opt out of
Directory
• A patient can opt out of directory at anytime but
this will most likely happen during the admission
process.
• IF A PATIENT OPTS OUT OF THE
DIRECTORY… you may not acknowledge the
patient is in the facility AND
• You may not give information about the
patient to family and friends unless they
provide the 4-digit passcode.
HIPAA Job Specific Education
20
Right to Privacy Restrictions
• Patients have the right to request a privacy
restriction of their PHI
• But, NEVER agree to a patient requested
restriction
• All requests must be made in writing and
given to the FPO to make a decision on
• NO request is so small that it should not be
routed to the FPO
HIPAA Job Specific Education
21
Patient Privacy Complaints
• ALL privacy complaints must be routed to the
FPO
• No privacy complaint is too small or insignificant
HIPAA Job Specific Education
22
Notice of Privacy Practices
• Patient will receive a Notice of Privacy Practices
(NOPP) upon each registration
• Notice of Privacy Practices outlines patient rights
–
–
–
–
–
Right to access
Right to amend
Confidential Communication
Right to Privacy Restriction
Right to Opt out of Directory
• Ask registration for a copy of the NOPP
HIPAA Job Specific Education
23
Breach Notification
• Beginning February 2010…HITECH
provisions require the following
notifications when breaches (as defined in
the regulations) occur:
– To the patient (the facility is required to send a
letter to the patient).
– To the Department of Health and Human
Services (the facility notifies DHHS online).
– To the media when the breach involves more
than 500 individuals in the same jurisdiction.
HIPAA Job Specific Education
24
Security Compliance
TAKE IT SERIOUSLY
• Log off terminals when not in use.
• Computer screens should be positioned so
information (PHI) is not readable by the public
• Printers should be in protected locations so that
printed information is not accessible by the public.
• PHI must be disposed using SHRED –IT bins.
HIPAA Job Specific Education
25
Common Exposures To Avoid
• Discussions of patient information in public places such as
elevators, hallways and cafeterias
• Printed or electronic information left in public view (e.g.,
charts left on counters)
• PHI in regular trash
• Unauthorized individuals hearing patient sensitive
information such as diagnosis or treatment
HIPAA Job Specific Education
26
SOCIAL NETWORKING
• NEVER discuss patients or patient
information (even if you think it is
unidentifiable) on a social network site,
such as Face Book or Twitter.
HIPAA Job Specific Education
27
Disciplinary Action and/or
School Notification
3 levels of violations with disciplinary action and/or
notification to the school:
– Accidental disclosure of PHI may result in an oral or written
warning.
– Purposeful violation of privacy policy may result in
notification to school and dismissal from hospital’s student
program.
– Purposeful violation of privacy policy with associated
potential for patient harm will result in notification to school
and dismissal from the hospital’s student program.
HIPAA Job Specific Education
28
Tracking Your Training
Federal law requires each HCA facility to document
that you have successfully completed HIPAA
training and to track that documentation for six (6)
years.
HIPAA Job Specific Education
29
STOP!! STOP!! STOP!! STOP!!
Your training is NOT complete!!
1. You must successfully pass the HIPAA
Quiz;
2. Receive a Certificate of Completion from
the facility; &
3. Ensure your facility has a copy of both
your Quiz and Certificate for their
records.
Please keep a copy of your Quiz and the Certificate for your records
HIPAA Job Specific Education
30
Related documents
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
“You have the Right”
“You have the Right”
Health Sciences Center Schools New Employee & Student Training
Health Sciences Center Schools New Employee & Student Training
Presentation Slides
Presentation Slides
the HIPAA quiz
the HIPAA quiz
Download
advertisement