HIPAA Privacy and Security/HITECH Training 2014‐2015 Greetings, As many of you know, all health care organizations were required to be compliant with HIPAA Privacy Regulations in 2003 and later HIPAA Security Regulations that became effective in 2005. New legislation referred to as HITECH in 2009 addresses additional requirements. One of the requirements under these laws is mandatory training for all non paid individuals offering their services to the UConn Health Center who, as part of their experience, will have access to patient’s protected health information. This training includes a review of the organization’s policies and procedures relating to protecting patient information. We have developed the attached training packet for your review and completion. It is a summary of your responsibilities as an unpaid individual offering your service to the UConn Health Center (UCHC). Completion of these materials will satisfy your HIPAA training requirements for any UCHC site. At the end of the text is a self‐knowledge check of the materials. Please sign the next page of the packet indicating that you have completed the training packet and return it to your UCHC host. Continued participation in your Program is contingent upon proof of completion of this material. We are available to you to answer any questions or to address any concerns about the privacy and security of patient information during your work at UCHC. Thank you in advance for your cooperation, Iris Mauriello, RN, CHC Corporate Compliance Integrity Officer and HIPAA Privacy Officer Jonathan Carroll AVP, Enterprise IT Operations and Information Security Officer Certification of HIPAA Privacy/Security/HITECH Training Packet Completion 2014‐2015 I have read and understand the UConn Health Center HIPAA Privacy/Security/HITECH training materials. Further, I understand that the location of additional information about the UConn Health Center policies and procedures related to patient privacy have been detailed in the training documents. _________________________________________________________________________________ Printed Name _________________________________________________________________________________ Signature Date HIPAA/HITECH Privacy and Security Student Training Academic Year 2014‐2015 Introduction Welcome to HIPAA/HITECH Privacy and Security training. As you may know, all health care organizations are required to comply with HIPAA/HITECH Privacy and Security Regulations. These regulations have undergone several updates, the latest of which were enacted in early 2013. As UCHC School of Medicine and School of Dental Medicine students you will have access to patients’ confidential health information as part of your educational experience. Therefore, you are required to complete HIPAA/HITECH training. Thank you for completing this training. Continued participation in your educational program is contingent upon proof of completion. When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. David Brinkley UCHC’s Confidentiality Policy “All individuals are expected to be professional and maintain confidentiality at all times, whether dealing with actual records, projects, or conversations….” “All individuals having access to confidential information are bound by strict ethical and legal restrictions…..” Refer to UCHC policy # 2002-43 Confidentiality What types of information must UCHC protect? Medical/Dental/Behavioral Health-related patient information Research data requiring protections (clinical trials, patient survey responses, etc.) as required by the NIH. Student information. Employee human resources and financial information. Any information about employees, students, patients, Board Members, etc. which includes Social Security numbers. Financial information IDs and/or Passwords for access to Health Center computing resources. Other confidential or sensitive Health Center information not in the public domain. HIPAA/HITECH Privacy and Security HIPAA at a Glance HIPAA stands for: Health Insurance Portability and Accountability Act The “Health Insurance Portability”(HIP) part of HIPAA was intended to ensure the continuity of health insurance coverage for workers changing jobs. To facilitate this goal, Congress mandated national standards for transmitting and protecting health information. The “Accountability” part of HIPAA was designed to ensure the security and confidentiality of patient information/data and requires uniform standards for electronic transmission of data relating to patient health information. HIPAA Privacy The HIPAA Privacy Rule was enacted to: establish national privacy protection standards for all forms of health information created by “covered entities”, including health care providers. set limits on the uses and disclosures of such information. give patients rights over their health records. HIPAA Security The HIPAA Security Rule was enacted to: establish national standards for the security of electronic health information (ePHI). protect individuals’ ePHI that is created, received, used or maintained by covered entities. outline administrative, technical and physical procedures to ensure the confidentiality, integrity and availability of ePHI. What is HITECH? HITECH stands for: Health Information Technology for Economic and Clinical Health Act It is part of the American Recovery and Reinvestment Act (ARRA). The HITECH interim rule was enacted in 2009. Widened the scope of privacy and security protections under HIPAA. Included incentives related to health care information technology such as: creating a national health care infrastructure. adopting an electronic health record (EHR) system. The HITECH final rule was enacted in January, 2013. Made a significant number of changes to HIPAA Privacy and Security. We’ve Come a Long Way…..Maybe Electronic data transmission is a double edged sword. More technology = increased vulnerability of personal information. As technology changes we have to do more to protect that information. The confidential information we come in contact with everyday is only as safe as our weakest link. What is Protected Health Information (PHI)? Any type of individually identifiable health information in any format including: Paper or other media Verbal Photographed or duplicated Electronically maintained and/or transmitted What makes PHI identifiable? Any unique number, code or characteristic that links information to a specific individual such as: Name Address Zip Code Telephone number Fax number Photographs Fingerprints Email address Internet address Dates Social Security Number Medical Record Number Patient Account Number Insurance Plan Numbers Vehicle Information License Numbers Medical Equipment Numbers What is “de‐identified” information? Information in which specific pieces (identifiers) have been removed so that it cannot be linked to any individual or be re-identified. If patient information is de-identified it is not considered PHI and is not protected under the HIPAA privacy regulations. Refer to UCHC Policy # 2003-29: Creation, Use and Disclosure of De-identified PHI Genetic Information Genetic information including family history is considered PHI under HIPAA. Includes: genetic tests, requests for genetic services, or participation in clinical research that includes genetic services by an individual or his/her family member. any manifestation of a disease in the individual’s family member. Genetic information may not be used for underwriting purposes. Protecting PHI All health information that can be linked to an individual must be protected under HIPAA. As an institution, UCHC has an obligation to protect the privacy of patient information and maintain the security of that information on our electronic systems. Everyone must be vigilant in their efforts to handle confidential information in a way that prevents improper exposure. HIPAA is ultimately about patients and their right to expect protection of their health information. Patient Rights under HIPAA Patient Rights Patients have the right to: Receive an accounting of certain disclosures of PHI. View and obtain copies of their records. Request an amendment to their medical records. Request that any communication related to PHI be directed to a specific location. Request restrictions on the use or sharing of their information. Receive the UCHC “Notice of Privacy Practices” (NPP) outlining these rights. Patient Right to an Accounting of Disclosures Upon request, patients must be provided a list of all PHI disclosures made outside of the institution including: disclosures of which the patient may not otherwise be aware. improper disclosures resulting in a breach. An accounting of such disclosures is maintained in the patient’s medical record on the “Protected Health Information Disclosure Tracking Log” Patient Right to an Accounting of Disclosures (continued) Disclosures exempt from the accounting requirement include: those for treatment, payment or healthcare operations (TPO). those directed to the patient or in response to the patient’s authorization. Refer to UCHC policy # 2003-18: Accounting of Disclosures of Protected Health Information to Patients and to the Protected Health Information Disclosure Tracking Log Patient Right to View His/Her Record Patients have a right to view their records upon request. Only written requests using the UCHC “Request to View Record/Notification of Approval or Denial to View” form are accepted. Requests are reviewed with the patient’s attending of record to determine whether the request will be honored. UCHC and the physician will provide a written response to the patient regarding any request denial. Original records are the property of UCHC and may not be removed from the facility except by court order. Refer to UCHC policy #2003-17-A: Patient Right to View His/Her Medical and/or Billing Record Patient Right to Obtain a Copy of His/Her Medical/Dental or Billing Records Patients also have the right to request copies of their PHI in any form they choose or is mutually agreed upon provided PHI is readily producible in that format. If PHI is maintained electronically UCHC is required to provide an electronic copy at the patient’s request. However, UCHC is not required to provide unlimited format choices. Refer to UCHC policy #2003-17-B: Patient Right to Copy His/Her Medical and/or Billing Record Patient Right to Send Record Copies to Others Patients may also request that copies of their medical records be sent to other designated individuals. Requests must be made in writing, clearly identifying the designated recipient and where to send the copy. Records may be provided in an unencrypted form if the patient understands the risk and agrees in writing. It is recommended that records not be sent via email. Patient Requests for Record Copies Patient requests for record copies must be addressed (granted or denied) within 30 days. A one time 30 day extension is allowed with patient notification. A reasonable, cost-based fee may be charged. Requests for record copies may be denied under certain circumstances. Patients have a right to appeal a denial. Patient Right to Amend His/Her Medical Record Patients can request corrections be made to any inaccurate or incomplete information in their medical, research, or billing records. Only written requests are accepted. A request to amend may be denied. The patient may write a disagreement to which UCHC may write a rebuttal. Copies of all such documentation are maintained in the patient’s record. Refer to UCHC policy #2003-17-C: Patient Right to Amend Their Medical and/or Billing Record and Request for Amendment of Health Information form. Patient Right to Confidential Communications UCHC must honor all patient requests to receive communications of PHI from UCHC by alternative means or at alternative locations. Follow the steps outlined in UCHC policy #2003-15 Patient Right to Request Confidential Communications Patient Right to Restrict Disclosures to Health Care Plans UCHC must honor patient requests to restrict certain disclosures of PHI to health plans if: the disclosure is to carry out payment or healthcare operations. the disclosure is not required by law. the PHI pertains solely to a health care item or service for which the patient or other person has paid out of pocket and in full. Policy updates are in progress to reflect the 2013 changes to the HIPAA/HITECH rules. Notifying Patients of Their Rights Under HIPAA: Notice of Privacy Practices (NPP) The Notice of Privacy Practices includes UCHC’s pledge to patients to keep their medical, dental and billing information private. The NPP must be: provided to all patients (excluding inmate/patients). acknowledged by anyone receiving the notice. posted in a prominent location. available on UCHC’s website. Refer to UCHC policy # 2003-13: Permission to Treat/Assignment of Benefits/Authorization to Release Medical/Dental Records/Acknowledgment of Receipt: Notice of Privacy Practices (Privacy and Security of Protected Health Information (PHI) Notifying Patients of Their Rights Under HIPAA: Notice of Privacy Practices (NPP) The NPP describes for patients: how their PHI is used and disclosed. their rights regarding their health information. how to exercise those rights. The NPP is undergoing updates to reflect the 2013 changes to the HIPAA/HITECH rules. When available, all areas utilizing NPPs must obtain, use and post the updated version. Patient Authorizations Regarding Their PHI Sharing PHI Without Authorization: Remember “TPO” In order to access, use or share PHI without a signed patient authorization the purpose must be related to: Treatment within and between healthcare providers across UCHC or in the community. Payment for treatment Operations-normal UCHC business activities Quality improvement Training Audit/legal/compliance reviews Evaluating caregiver performance Sharing PHI without Authorization Other than TPO, Protected Health Information (PHI) may be shared without a signed authorization for the following reasons: Public Health Activities Preventing or controlling disease Reporting abuse, neglect or domestic violence FDA-regulated product safety To provide information to coroners, medical examiners, or funeral directors. Refer to UCHC policy #2003-27: Use and Disclosure of PHI Where Authorization or Opportunity for Patient to Agree or Object is NOT Required Sharing PHI without Authorization Reasons other than TPO (continued): Organ donation. Health oversight activities: Audits Civil, administrative, or criminal investigations Inspections Court order or subpoena. For law enforcement purposes related to crimes, provided certain criteria are met. Disclosure of Patient Information to the Public and Community Clergy Members Unless a patient objects, UCHC may disclose that patient’s location (hospital room and telephone number) to persons that inquire about that patient by name. Members of the clergy will also be provided with a patient’s religious affiliation unless the patient objects. Refer to UCHC policy #2003-26: Directory Information: Disclosure of a Patient’s Information Communicating with a Patient’s Family and Friends PHI should never be shared with a patient’s family member, friend or others involved in a patient’s care unless the patient has given permission to do so. A patient can indicate during a discussion with caregivers that a particular person may be included in that discussion of medical and/or financial information. If a patient is unable to communicate his/her wishes for any reason, UCHC may determine whether a particular disclosure is in the best interest of the patient. Refer to policy # 2003-25: Use and Disclosure Involving Family and Friends Disclosures Regarding Decedents Care providers may disclose PHI to a family member or person who was involved in the care of a deceased patient unless otherwise expressed by the decedent while he or she was alive. Use your knowledge or best judgment regarding disclosure. HIPAA will no longer apply to individuals deceased more than 50 years. When is a patient authorization required? In general, if the reason for access, use, or disclosure of information is not related to “TPO” you must have a signed patient authorization. Never access, use or disclose PHI without a patient’s consent, if indicated. Refer to UCHC policy # 2003-16: Authorization for Release of Information and associated authorization form. Patient Authorizations A valid authorization includes specific requirements: PHI to be released Who may release the information Who may receive the information Purpose of the disclosure Expiration date Signature of patient or patient representative Use only UCHC HIPAA-compliant authorization forms. A patient may withdraw authorization at any time except to the extent that UCHC has already used or released information under a valid authorization. Refer to policy # 2003-16: Authorization for Release of Information. Protecting Confidential Patient Information Minimum Necessary Rule Except for treatment purposes, limit access, use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. Access, use or disclose: Only PHI needed to complete an assigned task in your student role and Only when the specific PHI is necessary to perform that task. Unless you need certain patient information to carry out your student responsibilities, do not access that information. Refer to policy # 2003-21: Minimum Necessary Data Students’ friends and family: Access and Disclosure Unless required for a specific educational-related task, students may not: Access family’s or friends’ information, even if they ask you to do so. Access supervisors’ or other students’ information, even if they ask you to do so. Students may not disclose patient information to anyone that is not authorized to have the PHI including: Family Friends/neighbors Fellow students UCHC policy prohibits students who are also patients from accessing their own medical information for personal reasons. Verifying Information Requests Before sharing any PHI, UCHC will verify: The identity of the individual requesting the information. That this individual has the right to obtain the information requested. If a patient calls to obtain information about him/herself, UCHC will verify the individual’s identity using information available in the Patient Registration system. In the event that an individual’s identity and/or legal authority cannot be verified, a UCHC staff will not disclose the PHI and will report the request to his/her immediate supervisor. Refer to policy # 2003-20: Verification of Individuals or Entities Requesting Disclosure of Protected Health Information Verbal Exchanges Involving PHI Discuss PHI only with those that have a “need to know” for specific assigned job functions. Be aware of your surroundings when discussing patient information. Move to a private area if needed. Avoid discussions involving PHI in areas where you may be overheard such as cafeterias, hallways, elevators, patient waiting rooms etc. Telephone/Voicemail/Answering Machine Disclosure of PHI Never leave information containing PHI over the phone with someone other than the patient. Leave only generic information on voicemail or answering machines. Never leave any PHI, including indication of the services being performed or the service provider. Refer to UCHC policy # 2003-24: Telephone/Voicemail/Answering Machine Disclosure of PHI Managing Written PHI Documents containing PHI must be: Turned face down when not in use. Kept locked in an office, file cabinet or other storage location. Check printers, fax machines and copiers after using to ensure that no papers are left behind. Never remove paper documents containing PHI from any facility. Faxing PHI Faxing patient information outside of UCHC is allowed in situations when health information is needed immediately or when mail or courier delivery will not meet a necessary timeframe. Employees authorized to fax PHI must confirm the accuracy of the fax numbers and security of recipient machines. Any fax that is sent to a location outside of UCHC must be accompanied by a UCHC-approved fax cover sheet. Faxing PHI Fax machines used to receive or transmit health information must be located in a secure area to protect the information from unauthorized users. Receiving faxes: Schedule with the sender whenever possible so that the faxed documents can be promptly removed from the fax machine. Notify the sender if you receive a misdirected fax so the fax can be sent to the correct party. Refer to UCHC policy # 2003-23: Faxing of Protected Health Information and fax cover sheet. Disposal of Paper Containing PHI Dispose of documents with PHI (faxes, printed emails, informal notes or copies of patient notes) either by tearing them up or placing in secured shredder bins. Never dispose of documents containing PHI in a trash or recycle receptacle or in a publicly accessible area. Copies of PHI used for case presentations or other academic requirements must be destroyed in a confidential manner. Refer to policy # 2008-01: Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of Equipment and Electronic Media Containing Electronic Protected Health Information. Managing Electronic Information You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. Daryl White Acceptable Use of UCHC’s Information Technology Resources UCHC workforce members are responsible for the appropriate use and security of ePHI when using any IT resource. Using any unauthorized IT resources or IT resources that could disrupt operations or compromise security is prohibited. Refer to policy # 2011-02: UCHC Information Security: Acceptable Use Data Authentication and Physical Safeguards To protect from unauthorized access, IT resources must be physically secured. Never leave computers or laptops unattended or unsecured in public areas. Where feasible, authentication to systems or devices containing ePHI must: Include a unique logon or password. Be encrypted. Refer to UCHC policy # 2011-01: UCHC Information Security: Data Authentication, Physical Safeguards Access Control to Facilities UCHC limits physical access to all confidential information, including to the facilities in which it is housed. Lock all file cabinets and rooms that contain confidential information. Always wear your UCHC identification badge for proper access. Refer to policy # 2005-04: UCHC HIPAA Security Facility Access Control Virus Protection All computer equipment connected to the UCHC network must: have UCHC approved, updated anti-virus protection software installed. remain current with the manufacturer’s operating system’s security software updates. Refer to policy # 2005-10: UCHC HIPAA Security Virus Protection Policy Mobile Computing Devices (MCD) MCDs include: UCHC laptop computers Smartphones Tablet devices USB storage devices Confidential data may not be stored on UCHC or non- UCHC MCDs unless: Only information needed for a particular function is stored. Information is stored only for the time period needed to perform that function. The device is encrypted by UCHC IT. Data is protected from unauthorized access and disclosure. Bring Your Own Device (BYOD) Users will be granted the authority to configure their personally-owned MCDs to access UCHC’s electronic information. Personally-owned MCDs must be registered and secured at UCHC’s BYOD website. Additional information about BYOD can be found at http://its.uchc.edu/Help/BYOD.aspx Refer to policy # 2008-03: Mobile Computing Device (MCD) Security Disposing of Electronic Confidential Information Secure methods must be used to dispose of electronic data and output. Prior to the removal or sale of any electronic storage media/devices, contact the UCHC Materials Management Department to remove all UCHC information, including PHI, residing on the devices. Never leave computers/laptops or other devices unattended when planning disposal. Refer to policy # 2008-01: Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of Equipment and Electronic Media Containing Electronic Protected Health Information. Electronic Systems Access Control Access to UCHC’s information systems is granted only to appropriately identified, validated and authorized individuals. Users must each have a unique login and password. Memorize your password and do not share your account information (username/password), password creation or password changes. Do not log in to your computer to allow a fellow student to work under your username or request that another student do the same for you. Electronic Systems Access Control Ensure that all laptops are encrypted as required by UCHC policy. Always log off your computer or use a screen saver after using a shared computer or when your computer is left unattended. You may be held responsible for improper access by another individual under your username and password. Refer to UCHC policy # 2011-03: UCHC Information Security: Systems Access Control Electronic PHI (ePHI) ePHI is Protected Health Information stored on electronic systems or transmitted through electronic means. Includes personal information stored on: Personal Computers with internal hard drives. Removable storage devices such as: USB memory sticks/keys CDs/DVDs Disks Back-up tapes External hard drives Mobile Devices Electronic transmission is data exchanged via the network, including wireless and DSL/cable home network connections. Electronic PHI (ePHI) ePHI also includes patient information located on any UCHC electronic information management system including: IDX LCR eHIMS NextGen IBEX Others Monitoring of Electronic Patient Information Systems Access to patient records is logged by each Health Center system. Audit logs are reviewed to ensure information is accessed only on a “need to know” basis. If you do not have a legitimate educational purpose for accessing a patient’s PHI you are not allowed to view that information. Think before you click…….. “Minimum necessary” also applies to electronic PHI. Access/use PHI stored in electronic systems only when it is necessary to perform your assigned job functions. Access/use only the minimum necessary PHI to complete your assigned task. Emailing PHI Hand deliver or mail PHI whenever possible. When necessary for treatment, payment or operations, email PHI only to individuals that are authorized to receive the information. E-mail only from and to secure addresses with the UCHC network (i.e. addresses ending in uchc.edu) Verify the recipient’s address as secure before sending PHI via e-mail. Email encryption must be used to send any confidential information outside of the UCHC network. Refer to policies: # 2012-01 E-mail Communication with Patients/Research Participants # 2011-04 Electronic Communication of UCHC Confidential Data: Use of Email Encryption Email Encryption To send a secure email: Click the icon in the upper left hand corner of the email message screen OR Include[Secure] (brackets and the word) in the email subject line. Texting PHI Texting confidential information, including PHI, is not permitted under any circumstances. Text messages are not encrypted and, therefore, are never secure. Any text message sent containing confidential information, including PHI, is a violation of UCHC policy, state and federal laws and must be reported immediately. Social Media PHI or other confidential information should never be shared on social media sites. Any medical information that is posted must be completely de-identified. Although you may think information has been de- identified, it may be possible to identify an individual, even with minimal information. Managing Breaches of PHI Breaches A breach is defined as any improper access, acquisition, use or disclosure of PHI that compromises the security or privacy of the information unless it can be proven that the risk of compromise to the information is low. Includes situations in which more than the minimum necessary PHI is involved. All potential breaches are evaluated UCHC and may result in notifying the affected patient(s) and the Federal Office for Civil Rights (OCR). OCR may investigate any breach that is reported. Managing Breaches Known or suspected breaches must be acted upon without delay to assess the situation and mitigate risk. There are strict timeframes for notifying: Affected patient(s) Office for Civil Rights If you know or suspect that a breach has occurred report it to your preceptor or a UCHC manager immediately. The UCHC Privacy and/or Security Offices will be contacted for guidance. Examples of Breaches that Have Occurred at UCHC Paper: Lab requisitions, test results or other confidential communication mailed to the incorrect patient. Discharge paperwork handed to the wrong patient Paperwork containing PHI left in public areas. Verbal: Discussing a patient’s medical information in a public area. Discussing a patient’s medical information in front of others without the patient’s permission to communicate. Examples of Breaches that Have Occurred at UCHC Electronic Accessing patient information for purposes that are not related to job functions, educational responsibilities and/or assigned tasks including the PHI of co-workers, family members, friends, and VIPs. Lost unencrypted laptops or other mobile devices containing PHI. Texting PHI. Computer screens containing PHI that are visible to unauthorized individuals. Tips for Preventing Breaches Keep track of documents containing PHI (don’t leave unattended, don’t take in the restroom etc.) Keep private conversations private if PHI is being discussed (you never know who may overhear). Never text PHI. Do not share PHI via social media. Tips for Preventing Breaches Obtain a patient’s permission before involving others in a discussion that includes PHI. Do not access or use patient information that is not related to your student responsibilities. Never disclose PHI to anyone that is not authorized to have the information. Encrypt all electronic equipment that may contain PHI. Patient Complaints Regarding Breaches of PHI Patients may contact the UCHC Patient Relations Department with any concerns related to the privacy or security of their PHI. Patients may also elect to register a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. Refer to UCHC Policy #2003-19: Patient Complaint Regarding Use and Disclosure of PHI UCHC Policies Please review UCHC’s Confidentiality Policy at: http://www.policies.uchc.edu/policies/policy_2002_43.pdf All HIPAA Privacy and Security policies are located at: http://www.policies.uchc.edu/area/hipaa_privacy.html http://www.policies.uchc.edu/area/hipaa_security.html UCHC Contacts For Privacy questions or to report Privacy violations contact: Iris Mauriello, Privacy Officer 860-679-3501 mauriello@nso1.uchc.edu For Security questions or to report Security violations contact: Jon Carroll, Information Security Officer 860-679-3528 jcarroll@uchc.edu You may also report any Privacy or Security concern anonymously through UCHC REPORTLINE: 1-888-685-2637 Knowledge Check 1. Which of the following is not considered Protected Health Information under HIPAA? A. An EKG report for a participant in a human subject research study. B. A discharge summary for a JDH patient. C. A photo used for student education showing only a wound on the hand of an unidentified patient. D. A patient invoice that includes a listing of diagnostic lab tests completed. The correct answer is “C”. Only information that cannot be linked in any way to a particular individual would not be considered PHI 2. Maria is a nursing student and has cared for a patient who had a minor procedure done in the surgery center. The patient’s neighbor has come to give the patient a ride home after the procedure and is waiting with the patient. Maria needs to review the procedure and discharge instructions with the patient. Maria isn’t sure if the patient has given permission to communicate with her neighbor. What should Maria do? A. Review the information privately with the neighbor first since she is taking the patient home. B. Review the information with the patient and neighbor together since the patient must approve if the neighbor is in the room. C. Discharge the patient and plan to review the information during her next clinic appointment. D. Ask the patient’s permission to review the information in front of her neighbor. The correct answer is “D”. Unless you are sure the patient has given permission to communicate PHI with another individual always check with the patient before sharing any information. 3. A signed patient authorization gives UCHC permission to disclose any and all parts of a patient record. True False The correct answer is “false”. The patient authorization specifies which parts of the medical record may be shared. Only disclose those sections indicted unless the patient has given permission to share the entire record. 4. While eating lunch in the cafeteria, you overhear a group of students discussing a patient, including diagnosis, treatment plan and prognosis. You notice other employees as well as visitors at nearby tables. What should you do? A. Move to another table so you won’t hear the discussion. B. Stare at the group in hopes that they get the message to end their conversation. C. Politely remind them that they should not discuss patients in a public area. D. Sit down and join them since the discussion sounds really interesting. The correct answer is “C”. Patient information should only be discussed in a private area and only with those that have a right to know the information. 5. Sarah is a staff member in the Cancer Center. At the request of her patient, she calls the patient to report her recent lab results. The patient has indicated on the UCHC “Permission to Communicate” form that information may be shared with her husband, who she has identified by name. When Sarah calls the patient’s home, she reaches the patient’s sister who tells her that the patient is not at home. What should Sarah do? A. Tell the patient’s sister that she is calling from the Health Center and ask that the patient return her call. B. Tell the patient’s sister that she is calling from the UCHC Cancer Center with lab results and ask that the patient call her back. C. Ask the sister to get a pen and paper to write down the results to give to the patient. D. Hang up and call back at another time. The correct answer is “A”. Never leave a message containing specific information if the patient has not given permission to communicate with that particular individual. 6. Bert and Ernie are students and friends who are completing an internship on the same patient care unit. Ernie runs into a problem with his username and password and finds that he cannot log onto the computer to document in a patient’s record. To save time, he asks to borrow Bert’s username and password until he has a moment to contact the Information Technology Helpdesk. What should Bert do? A. Give Ernie his username and password to log on. B. Offer to log on under his own username and password to allow Ernie to write his note. C. Explain to Ernie that UCHC policy does not allow him to share his username and password. D. Get another student to log on and let Ernie complete his note. The correct answer is “C”. Never allow another student to use your password or ask to use a fellow student’s log on information. You are responsible for any documentation completed under your username and password. 7. Jeremy, a social work student, is searching in an electronic system for the record of a clinic patient. The patient happens to have the same last name as a fellow student, Jill. During his search he sees Jill’s name on the list of patients and notes that she has a medical record in the system. Jeremy is curious about Jill’s medical information so he looks and finds that she recently had surgery. Did Jeremy do the right thing? A. Since Jeremy “inadvertently” discovered that Jill is a patient, it’s OK to view her record. B. Jeremy may not access any patient’s record, unless the reason is specifically related to his student responsibilities. C. Jeremy may view Jill’s medical record, but he shouldn’t tell her that he knows she had surgery. D. Because Jill is a student, she cannot expect her information to be kept private. Anyone with access to a patient information system is allowed to access her record. The correct answer is “B”. Students who are also UCHC patients are entitled to the same privacy as any patient. 8. While answering the phones in a busy clinic, you receive a phone call from a patient who reports that, in addition to her own lab results, she received the lab results of another patient in the mail. What should you do? A. Apologize for the error and tell the recipient to throw the other individual’s results in the trash. Notify the unit manager of the call when you have a chance. B. Ask the recipient to tell you the name of the other patient and any specific PHI that was sent in error. Notify the unit manager and review the PHI that was released in error. C. Tell the recipient to call back at another time when the manager or a staff member is available. D. Thank the recipient for calling to report the error. Notify the unit manager or a staff member while the patient is on the phone as this is a potential breach that must be managed immediately. The correct answer is “D”. The manager or staff member must address the situation immediately to minimize the risk to the patient’s information that was inappropriately disclosed. 9. An outside practitioner will be following a UCHC patient with whom you have been working. Your preceptor/manager confirms that it is permissible to share PHI related to the patient’s follow‐up care with this particular practitioner. The practitioner sends you an email asking for a summary of the patient’s condition and treatment. Which of the following should you do? A. Simply reply to the email with the information requested. B. Reply and click the “Secure” button prior to sending the email. C. Reply and type [secure] in the subject line or message. D. Either B or C. The correct answer is “D”. Always click the “Secure” button or type [secure] when sending PHI outside of the institution via email. 10. Denise is a nursing student who recently assisted with a patient in the UCHC Emergency Department (ED) that had been involved in a serious car accident. The accident was reported on the local news and on the front page of several newspapers. Denise can’t wait to tell her friends about her ED experience so she posts on her Facebook page details about the accident, the patient’s injuries and a picture she took with her cell phone. She is careful not to disclose the patient’s name or to expose the patient’s face but assumes it is OK to share other information including the patient’s age, sex and town of residence. Did Denise breach this patient’s confidentiality? Yes No The correct answer is “Yes”. Students should never photograph patients with a personal cell phone and post photos on social media. In addition, even though Denise did not include the patient’s name or photo of the patient’s face, it is possible for others reading her post to identify the patient, given the information that was shared and the fact that the accident was highly publicized. This, therefore, would rise to the level of a breach under the HIPAA/HITECH regulations.