Ascension Health Presents: HIPAA and the Health Care Professional Introduction… HIPAA is one of the newest regulatory changes that affects the healthcare industry. Congress passed the HIPAA regulations to Standardize, Secure and Protect healthcare information. Purpose of this course: • To foster understanding of how HIPAA compliance may impact your job-related activities • To assure compliance with federal and state laws • To assure that facility policies and procedures are followed • To foster and maintain a culture of integrity & accountability The expected results of this standardization is that they will: • Protect the confidentiality of personal health information • Improve efficiencies in healthcare billing • Foster the growth of electronic medical records • Improve the quality of data used to make decisions • Ultimately it is believed that it will reduce healthcare costs HIPAA has three major areas: 1) Transaction and Code Sets: Standards for the format and coding of billing related information. For example: electronic claims sent to a third party payer such as Blue Cross/Blue Shield. 2) Privacy: Standards to protect the privacy of medical records and other specific information. These standards help ensure that the information (PHI) is properly handled and kept confidential. 3) Security: Standards to protect security, confidentiality, integrity and availability of PHI. These standards address items such as electronic billing, and when and how you access electronic PHI. Quiz Yourself: Which HIPAA regulation helps make sure that Protected Health Information (PHI) is kept confidential? (pick one answer) 1. Transaction and Code Sets 2. Privacy 3. OSHA HIPAA Regulations must be followed by: • Clearinghouses – (example: Health Care Billing Companies) • Health Plans – (example: Blue Cross/Blue Shield Health Insurance, Dental or Optical Insurance Plans) • Providers – (example: Hospitals, Pharmacies, Physician Offices, Ambulance Companies, Durable Medical Equipment etc) Anyone who maintains or transmits health information electronically Healthcare Facilities or Systems must designate a Privacy Official who is: Responsible for the development and implementation of policies and procedures relating to protecting the privacy of health information. Healthcare Facilities or Systems must designate a Security official who is: Responsible for the development and implementation of policies and procedures related to protecting the security of Electronic Protected Health Information (EPHI). Workforce Training: • All members of the workforce must have received training no later than April 14, 2003 for Privacy and April 20, 2005 for Security • All new workforce members must be trained in privacy and security Note: Additional training must be provided for those workforce members whose functions are affected by any changes to privacy policies and procedures The Privacy Rule Includes: • • • • • • • • • • Protected Health Information (PHI) Minimum Necessary Use & Disclosure Authorization Requirements Notice of Privacy Practice Requirements Individual Patient Rights Uses for Marketing & Fundraising Business Associate Provisions Sanctions for Non-Compliance Safeguards Training As a Clinician you will need to understand certain portions of the HIPAA Regulations in more detail… • Permitted uses of Protected Health Information (PHI) • Minimum Necessary Use & Disclosure • Protecting Confidentiality • Sanctions PHI – Just what is it? Protected Health Information (I) (II) (III) (IV) Names Zip Codes All Dates Telephone & Fax Numbers (V) E-mail Addresses (VI) Social Security Numbers (VII) Medical Record Numbers (VIII) Health Plan Numbers (IX) License Numbers (X) Vehicle Identification Numbers (XI) Account Numbers (XII) Biometric Identifiers (XIII) Full Face photos (XIV) Any Other Unique Identifying Number, Characteristic or Code To provide complete healthcare: Direct Care Providers need access to patients Protected Health Information (PHI) for the purposes of: Reviewing medical history Diagnosis Treatment Evaluating Response to Treatment Billing for services Access to Protected Health Information (PHI) is necessary to provide complete holistic health care for the patient But this type of access carries with it an obligation to make sure that Confidentiality for the patient is maintained You will use Protected Health Information (PHI) most often for: Treatment purposes • Review of the patient’s health history • Review of social issues which impact health • Diagnostic test results • Treatment activities • Consulting with other healthcare providers • Response to treatment provided Rule of thumb for sharing Protected Health Information (PHI): • You may freely share the information with the patient • The patient may give permission for you to share their information with anyone • You may discuss PHI with anyone participating in the patients’ healthcare or billing activities Quiz Yourself: Can the patients’ PHI be shared with a pharmacy when calling in a prescription? • The Pharmacy is considered a Healthcare Provider • The Pharmacy will be providing services directly to that patient • The Pharmacy will bill the patient for the services they provide Minimum Necessary Standards This means that access to Protected Health Information (PHI) must be limited to only those who “need to know” The Minimum Necessary HIPAA Standards • Only those who are Directly Participating in the care of the patient, involved in billing activities or working on operational activities should have access to that information and…. – They should have access to only the amount of information needed to perform their job Not every healthcare provider needs access to ALL health care information For example: A nursing aide would NOT need to know MRI test results in order to give a patient their dinner tray. But they would need to know things like: – – – – NPO Status Intake & Output (I&O) Restrictions Dietary Restrictions Occasionally, Glucometer test results Quiz Yourself: Do direct care providers have the right to access any patients’ medical record? Remember: Only those healthcare providers that are Directly Involved with the patient’s diagnosis, treatment plan or care should have access Authorization An authorization must be obtained from a patient for all uses and disclosures that are not related to Treatment, Payment or Operations. For example: * Some types of Marketing * Participation in Research * Some Fundraising activities An example of when an authorization would be needed: Newsletters and/or taking pictures of patients…If the newsletter contains Protected Health Information (PHI) about a patient, the patient must give written authorization prior to use. Quiz Yourself: Which of the following almost always requires the completion of a written authorization when using PHI? (pick one answer) 1. Quality improvement activities 2. Discussions with the patient about medical treatment 3. Research activities 4. Sharing information for billing & payment purposes Notice of Privacy Practices All healthcare providers must develop a Privacy Notice which: – describes how PHI may be used – outlines patient rights required by the HIPAA regulations, and – provides them with information on who to contact if they have questions or complaints Notice of Privacy Practices • A copy must be provided to the patient on the first service delivery date, which began on April 14, 2003 • A copy must be posted on the wall of the waiting room area • It must be posted on a web site, if one is available • A copy must be made available upon request Notice of Privacy Practices – Acknowledgement of Receipt • HIPAA requires that healthcare providers make a “good faith” effort to obtain a written acknowledgement that the patient received a copy of the Notice – This will typically take place during Registration Quiz Yourself: The Notice of Privacy Practices contains which type of information? (pick one answer) 1. 2. 3. 4. How PHI may be used Patient rights Where to file a complaint All of the above Protecting Confidentiality… Remember: Patients have a fundamental right to expect that their personal Protected Health Information (PHI) will be maintained in a confidential manner How would you feel if you overheard a conversation about your Personal Protected Health Information in the cafeteria? • Would you feel violated? • Would you be angry? • Would you lose your trust? FAQ: Can I give information to another care giver, such as a Consulting Physician, over the telephone? • You can share information with other healthcare providers who are participating in the care of the patient • You will need to make a “Reasonable” effort and use your professional judgment to identify the caller Protect Confidentiality on the phone: Make a “Reasonable” effort and use your Professional judgment to identify the caller, for example: • If possible, verify with the patient • Ask the caller to give the patient birth date or home address • Or, ask the caller to speak to the next of kin identified on the face sheet Business Associate Provisions • Under certain circumstances we can share PHI with individuals who are not involved in Treatment, Payment and Operational activities • HIPAA mandates that we have a contract that clearly states that they must follow HIPAA privacy regulations Security To assist with ensuring privacy, certain security measures must be followed to protect electronic patient health information. Some of these measures include: –Log-in monitoring –Awareness and protection from malicious software Log-in Monitoring • All individuals with electronic access to the SETON Healthcare Network are held accountable for all activity performed with their user ID and password. • Individuals must secure their user ID and password to prevent unauthorized use. • Since many systems have audit trails, suspicious activity can be tracked with authorization. Log-In Monitoring What You Can Do…… • Report the following suspicious activities to the IS Service Desk @ ext. 41675 – If anyone asks for your password – If someone appears to be using someone else’s password Guarding Against Malicious Software “Excuse me, could you see if this virus ruins your computer too?” Reminder: Do not download or install software that are not approved by Information Services Guarding Against Malicious Software • Malicious (destructive) software can alter data, destroy files, or even bring down the entire computer network • ALL computers MUST have virus protection to reduce the potential of malicious software • Software and e-mail should only be installed or opened from known and trusted sources • Suspicious software must be reported to the IS Service Desk at x41675 Ways to Protect Patient’s Privacy • Be aware of individuals in your surroundings • Speak in low tones • Do not talk about patients in the elevators, hallways, or cafeterias • Do not leave charts or documents unattended Ways to Protect Patient Privacy Discard documents with Protected Health Information (PHI) by shredding or placing in a secure recycle bin Ways to Protect Patient Privacy • Make sure patient information is not easily seen or accessible • You must not share computer passwords • Be sure to log-off the computer when finished Passwords are like bubblegum • Strongest when fresh • Should NOT be shared • Should not be left under keyboards for future use • If left laying around, can create a sticky mess What happens if a workforce member breaches the confidentiality of a patient? We are required to have policies in place to apply appropriate sanctions against members of the workforce who fail to comply with the HIPAA privacy and security regulations But this is not new! • That is right, healthcare employers have always had sanctions in place to handle confidentiality breaches by their workforce – The change is…. • We will have routine monitoring in place to identify breaches of confidentiality Breaching Confidentiality – what does it mean to you? • HIPAA requires sanctions to be in place for breaching confidentiality • The state laws protecting patient confidentiality have been in place for years but… – Breaches are now considered not only Civil offences but in some cases considered Criminal offences What is meant by the term “Breaching Confidentiality”? • There are two types of breaches: – Intentional • Example: a healthcare provider sells a list of patient demographic information to a telemarketer – Unintentional • Example: a census list is left on a cafeteria table or patient charts are left unattended in a public place FAQ: What happens if someone overhears a conversation when I am discussing patient diagnostic or treatment information with another caregiver? Answer: As long as you have taken “Reasonable” precautions to prevent an unintentional disclosure, then this would be considered an Incidental Disclosure and is not punishable as a breach of confidentiality. Failure to comply with HIPAA Regulations can result in: • • • • • Exclusion from Medicare Programs Places Accreditation at risk Damaged Community Reputations Lawsuits for breaches of confidentiality Civil and Criminal penalties for healthcare providers, including Individuals! Remember these HIPAA Basics: • Patients have a fundamental right to expect that their personal Protected Health Information (PHI) will be maintained in a confidential manner • PHI may be used for Treatment, Payment, or Operations (TPO) • Most other uses of PHI require the patient to give specific permission or authorization HIPAA is simply Common Sense! • Protect Patient information in the same manner you want YOUR information protected • Access to information should only be for individuals who are directly caring for a patient, billing for services provided, or performing operational (quality improvement type) activities Who do you think is responsible for Protecting Health Information? He is! That one She is! over She is! there! He is! They are! I am certain it is her! For further information: • Refer to the Notice of Privacy Practices • Call your designated Privacy Official • All privacy and information security policies and procedures as well as additional information, may be found on the SETON Intranet. • Helpful internet sites: • http://hipaa.ascensionhealth.org • http//www.cms.hhs.gov This program was a collaborative effort between: Genesys Health System Grand Blanc, Michigan http://www.genesys.org & Seton Healthcare Network Austin, Texas http://www.seton.net Property of Ascension Health© All materials appearing on this presentation may not be reproduced or stored in a retrieval system without prior written permission of the publisher and in no case for profit. Authored & Developed by: Carol L. Joseph – Genesys cljoseph@genesys.org Leigh Chiuminetta – Seton Lchiuminetta@seton.org Technical Assistance: Bill Shea – Genesys Medical Education – Technical Resources bshea@genesys.org • Please complete the post-test.