What is HIPAA?
 HIPAA is the Health Insurance Portability and Accountability Act (1996)
 It was created to protect the security, integrity and privacy of Health Care Data by enforcing privacy regulations within healthcare and other industries that:
•
Protect an individual’s identifiable medical history and condition
•
Gives patients the right to know who has or will see their records (for purposes other than treatment, payment and health care operations)
•
Provides the same level of protection for all confidential information
•
Creates a “federal floor” of privacy protection but would not supercede state laws providing greater protection.
Why do you need to know about HIPAA?
During the course of your job here at EMHC, whether you intend to or not, you come in contact with a lot of information about the health status of the people that come here for treatment. That information is private information, and we have treated it that way for many years. HIPAA has created additional privacy regulations to ensure the safeguarding of that type of information, which we have incorporated into our way of doing things. In this packet we will discuss those ways, and how they impact you.
Additional aspects that are new with HIPAA , something that everyone working in healthcare should know about, are the potential penalties that an individual can incur for violations to HIPAA, also known as breaches in confidentiality. The potential penalties for such a violation are as follows:
Criminal Penalties It is a Federal crime for anyone to knowingly and wrongfully disclose or receive individually identifiable health information in violation of
HIPAA
•
Fines: $50,000 to $250,000
•
Imprisonment 1 to 10 years
•
Both civil and criminal penalties may be imposed
Civil monetary penalties For each failure to comply with each HIPAA provision- $100 per violation, capped at $25,000 for violations of same provision
What Exactly do we Need to Protect?
Part of the reason that HIPAA was enacted was to help safeguard the Protected Health
Information (PHI) of patients and other persons that is generated by a healthcare provider or other institutions.

What is PHI?
Through the course of our daily business, Elmhurst Memorial Healthcare, as well as all other healthcare providers and many other businesses generate a lot of information about the medical condition, past, present, and future of the people that we treat. Once this information becomes linked with the identity of the person being treated, it becomes Protected Health Information (PHI). PHI is information that...
 identifies an individual by name, number, characteristic or code
 relates to the individual’s health, healthcare treatment, or healthcare payment (past, present or future) is maintained or disclosed electronically, on paper or orally.
Individually Identifiable” means that someone seeing or hearing health information can identify the person it’s about. Certain information is unique to an individual and by itself can identify that person. If health information is linked with the following unique items, it is considered PHI:
 Name
 Social Security Number
 Drivers License Number
 Telephone or Fax Number
 Address
 Email address or URL
 Patient ID Number,
 Account Number or Health Plan Number
 Biometric Identifiers (Finger Print/Voice Print)
 Photograph or Likeness
PHI Examples
Written PHI
 Patient’s medical record
 Sign in sheet with patient’s name and reason for visit
 A code that documents a specific health procedure or test
 Patient’s insurance card
Oral PHI
 A conversation about a patient’s condition with a colleague in a place where others can overhear.
 An appointment reminder message on an answering machine
 A telephone call to verify health insurance coverage
 A patient report dictated onto a tape
 name and test/procedure in a waiting room
Paper PHI
 Fax sheets
 Face sheets from hospitals physicians practice at
 Test results
Computer/Other
Media PHI
 Data appearing on computer monitors and screens
 E-mail with PHI included in it.
 Palm Pilots with stored PHI in it.
 X-rays
 Photos
 CDs and Tapes

Elmhurst Memorial Healthcare has dedicated itself to making sure any PHI we create or are involved with is protected to the best of our ability. To do this, we have created and amended several policies and procedures. The following pages are dedicated to educating you on the main policies and procedures that will affect you as you go about your job here at EMHC. This training manual is not intended to educate you on every aspect of every new or altered policy at EMHC as result of HIPAA, but to give you an overview of the major policies and procedures that will affect your specific job type. If you would like to access the full policy you can do so by accessing the policy manual that houses the specific policy, available on our intranet under the "Manuals" section.
To help you in that search, the policy manual and section that houses each specific policy that has been added or changed with the advent of HIPAA, has been included at the end of this document. Now, we will begin discussing the major policies that will impact you as you go about your duties here at EMHC.
Non-disclosure of Information Policy
Unauthorized access, use, or release of confidential and sensitive information to nonauthorized individuals is strictly prohibited and will result in immediate disciplinary action up to and including separation. This includes:
 Patient names and other identifiers and:
 Patient personal medical information
 Patient billing information
 Any other information related to the past, present, future physical or mental condition of a person.
 Employee names and personnel decisions
 Financial Information
 Proprietary products and product development
 Marketing and General Business Strategies
 Any ideas, methods, or programs that have not been publicly disclosed or other confidential information.
This means...
The Administration office, Nursing Office, Public Relations, and Admitting are the only departments authorized to give out information about a patient’s condition.
 Never place medical records in the hands of an unauthorized person
 Never discuss patients condition or PHI with employees not directly involved in care
 Never discuss PHI in public areas
 Employees cannot inspect their own medical record, or those of their minor children or relatives without valid authorization.
 Release of information to the public must be handled through the Public Relations
Department. This includes requests for photographs involving patients to be taken on the premises.
 An employee who has reasonable basis to believe that a breach of confidentiality has occurred, but does not report it, may also be subject to disciplinary action
 Employees who do come forward to report breaches should not be subject to retaliation .

User ID Code Confidentiality Policy
Employees with user ID codes are only to access information that is pertinent to their job responsibilities. They must also take measures to ensure that security and confidentiality is maintained. This includes the following:
 Steering clear of unauthorized information
 Keeping passwords confidential
 Signing off when not using the system.
Patient Access to PHI Policy
The last two policies we will discuss today are important not only because you are an employee of EMHC, but also because you may have already, or will in the future, visit
EMHC for the provision of healthcare to you or your family members or friends. The first policy, the Patient Access to PHI Policy, discusses what information is appropriate to give patients or other appropriate persons involved in the patient's care, and how to go about releasing that information to patients or the other persons involved in their care. It also indicates that patients have the right to an accounting of who has had access to their PHI for reasons other than treatment, payment, or other healthcare operations. The following are important aspects of this policy to remember:
 PHI can only be accessed by the individual receiving care. In some circumstances it may be appropriate for a parent, guardian, legal custodian of a minor, spouse or legal representative of a deceased person, or healthcare agent designated by an incapacitated person to be granted access to PHI.
 The individual has the right to view or make a copy of his/her PHI, but the original source PHI shall not be removed from the health system.
 In some circumstances parents, legal guardians, or others as described above can be restricted from PHI. See full policy for details.
What is the Process for Requesting PHI?
 Requests to access PHI, even your own, must be in writing as defined in the Notice of Privacy Practices of EMHC.
 EMHC has 30 days to respond to the request. If the request is denied, reason for the denial will be provided. If the request is delayed, reason for the delay will be provided.
 EMHC can deny access without appeal of the requestor in the event that the PHI was not created by EMHC, or the event that access to the PHI could reasonable endanger the life or safety of another person.
Hospitalized patients or patients currently receiving treatment can request access to their PHI by:
 Verbally expressing the request to the licensed health care professional.
 The decision to provide the PHI is made by the individual’s nurse or physician, except in circumstances involving treatment of mental illness, alcoholism, drug dependency, or developmental disabilities.
 If access is granted, the individual is required to complete and sign an Authorization for Release of PHI (Disclosure)
Discharged individuals should be referred to:
 Medical Records for access to PHI in their medical record.
 The laboratory for lab reports
 Pathology for slides or specimens

 Radiology for X-ray films
 Patient Business Services for billing or claims information
Amendment of PHI Policy
One important aspect of HIPAA is that patients not only have a right to access their PHI, but they also have a right to review and amend their PHI should the need arise. This policy was written to put procedures in place regarding how requests to amend PHI should be handled. The following are important aspects of the policy to remember:
 To make changes to, or amend PHI, the individual should be referred to Medical

Records or to the author of the PHI.
Medical Records will assist in the completion of the Health Record
Who Should I Report Breaches/Violations to?
It is important to remember that complying with HIPAA is everyone's obligation. To meet your obligation, first you must make sure that your actions are in line with the policies and procedures we have established to comply with HIPAA. Second, you must be willing to report any violations to these policies and procedures. Remember, EMHC promotes an environment of learning, therefore any employee who comes forward in good faith to report a violation of these policies, or breaches in confidentiality, shall in no way be punished or receive retribution for their reporting. Finally, because it is so important to get breaches in confidentiality or violations to these policies out in the open, anyone who has a reasonable basis to believe that a breach or violation has occurred, yet does not report it, is subject to the same disciplinary action as the person(s) involved in the breach or violation. Through this reporting process we can assure to our patients that we are doing everything we can to protect their privacy, and the safety of their PHI.
To report violations, employees have the following three options:
 Your Immediate Supervisor
 Privacy Officer
Claudia Niersbach, ext. 41010, Elmhurst Memorial Hospital
Samantha Chang, ext. 79933, Elmhurst Clinic
Linda Murakami, ext. 73632, Home Health and Hospice
Lynn Suwanski, ext. 73714, ELMCARE
 Confidential Corporate Compliance Hotline (800) 901-7422