HIPAA is…….
 Health Insurance Portability and Accountability Act of 1996
 One set of Federal health care regulations with many parts
1. Insurance Portability
2. Administrative Simplification
a. Privacy
b. Security
c. Electronic Data Exchange
 A new set of Federal Regulations which health care facilities must comply with beginning April 14, 2003.
What patient information is protected health information?
 Protected Health information is often referred to as “PHI”
 Anything that can be used to identify the patient
~Name, address, social security number, medical record number, telephone number, patient account number
 Anything about the patient’s past, present, or future medical conditions and treatments
 PHI includes billing and payment records for the provision of health care services
HIPAA changes the way we use information!
 Today we use patient information for
~ Treatment
~ Payment
~ Health Care Operations
~ Appointment Reminders
~ Notifications of Treatment Alternatives
~ Health-Related Benefits of Service
~ And others
HIPAA changes the way we use information!
 After HIPAA Privacy implementation date of April 14, 2003, it will be acceptable to use and disclose patient information if~ The use or disclosure is for:
o Treatment
o Payment
o Health Care Operations
~ Authorization is required and on file
o Some types of disclosures, including to apply for life insurance
~ Exemptions
o Required by federal or state law
o Required for public health and safety
o Others
Four Key HIPAA Questions
1. Is the patient information I am about to access necessary for me to complete my job?
2. Am I accessing only the minimum necessary to complete my job, no more and no less?
3. Am I accessing, using, or disclosing this information for treatment, payment, or health care operations reasons?
4. If I am accessing, using, or disclosing this information, should I have a signed authorization from the patient?
This facility protects patient privacy by:
o Assigning a facility Privacy Officer
o Having written policies and procedures to help employees understand the new privacy laws.
o Providing this privacy training to the workforce
o Putting in place ways to protect health information from being misused
o Having a way for patients and others to file complaints
o Providing discipline for employees who don’t follow the privacy practices
Privacy Officer Responsibilities
o Corporate P.O.
~ Guidance and recommendations for HIPPA Privacy Policies
~ Final authority on policies
~ May receive complaints
~ Educational program design
o Facility P.O.
~ Implementation of Privacy Policies at facilities
~ Receives complaints
~ Facility compliance monitoring and corrective action
~ Training of facility workforce on HIPPA Privacy Policies
Preemption of State Laws
o To the extent that a state privacy law is more restrictive than a HIPAA provision, the requirements of the state law will prevail.
o Conversely, where the HIPAA law is more restrictive than a state law, HIPAA will preempt the state law.
What is the Notice of Privacy Practices?
The notice of Privacy Practices (sometimes referred to as the NPP) iso An explanation to our patients of how their personal PHI is used and disclosed
o The start of a dialogue with our patients regarding the purpose of the uses of information
o An explanation of the patient’s rights as defined by the HIPPA Privacy Regulations
o The Notice of Privacy Practice is:
~ Available in a paper copy
~ On the facility web site
~ Posted in facility
Giving the Notice to Patients
 Provide a copy of the Notice to the patient
 Allow the patient an opportunity to ask any questions he or she may have regarding the Notice
 Obtain the patient’s acknowledgement of receipt of the Notice
 If a patient refuses to sign for receipt of the Notice, document the patient’s refusal an reason for refusal
 The HIPAA Privacy compliance date is April 14, 2003; this facility will be distributing the Notice to all patients beginning on
April 7, 2003
Giving the Notice to Patients
 Unless the patient presents to the facility in an emergency situation, the patient should be given a copy of the Notice when the
patient registers for an outpatient service or is admitted
 Retain the acknowledgement of the Notice
 In an emergency situation:
~ Document the reason in the medical record why the Notice was not given to the patient at the time of presentation
~ Give the patient a copy of the Notice at a later time when the patient has stabilized
Use vs. Disclosure
 Use means the employment or application of PHI within the facility that maintains the information
 Disclosure means the release, provision, or transfer of access to PHI outside of the facility to another entity such as another
facility, nursing home, or insurance company
Uses and Disclosures Policies
 Uses and disclosures relating to treatment, payment, or health care operations
~ HIPAA 002
 Uses and disclosures made without patient authorization
~ HIPAA 003
 Uses and disclosures made with patient authorization
~ HIPAA 004
Treatment Uses
 Communications between health care providers for the purpose of treatment:
~ Between doctors and nurses
~ Between facilities
~ Between the facility and other providers, including physicians
 Do not require authorization
Payment Uses
 Communications between the facility and a payer, usually a health insurance company, to pay for treatment services rendered
by the facility on behalf of the patient
 Do not require authorization
Health Care Operations Uses
 Information used to perform certain business functions of the facility
~ Management and administration
~ Health care insurance contracting
~ Quality management
~ Case management
~ Health care agency oversight
~ Accrediting organizations
 Do Not Require Authorization
Disclosures Not Requiring Patient Authorization
 Required by Federal or State law
~ Workers compensation
~ Birth reporting
~ Child abuse or domestic violence reporting
 Required for public health reasons
~ Sexually transmitted diseases
~ FDA-regulated products
 Required for national security reasons
~ Prevent a serious threat of harm to the individual or others
 Do not require authorization
 Generally require an accounting of disclosure
Disclosure with Authorization
 Authorization is required for certain disclosures to:
~ Attorneys
~ Schools
 Require a valid authorization from the patient
 Applies to situations where use falls outside of TPO and for which there is no exception for the authorization requirement
 Only certain staff members are permitted to accept and act upon patient authorizations
Use and Disclosure Authorization Process
 Authorizations are required for disclosures other than TPO within permitted categories
 Valid authorizations must be written
 Authorizations must be in plain language
 Authorizations must contain all the core elements
Use and Disclosure Authorization Process
 Identification verification must take place when the request is made
~ Patients-picture ID with signature, or comparison of signature in the record
~ Representatives-picture ID with signature, or comparison of signatures, and
documented proof representative is authorized to make such a request Identification verification must take place when the
PHI is released
Incidental Disclosures
 Disclosures of PHI that occur in the process of conducting business
~ May be unavoidable despite reasonable efforts to avoid the disclosure
~ Are overheard or viewed by people in public places
 Do not violate the HIPAA Privacy Regulations as long as there are adequate safeguards in place
Minimum Necessary
 Share only the minimum amount of PHI necessary to fulfill the job responsibility
~ Treatment uses and disclosures are exempt
 Share PHI only to those with the need to know
 Share only the amount of PHI requested and not the entire medical record
Facility Directory Disclosures
 The patient must be given the opportunity to opt-out from the directory
 Unless the patient objects, the following PHI may be included in the facility directory:
~ Name
~ Location within the facility
~ Condition of the patient in general terms (e.g., good, critical, serious)
~ Only members of the clergy may have access to the religious affiliation of the patient
Sharing PHI with Family and Friends
 The patient must be given the opportunity to agree, restrict, or object to providing PHI to family members, friends, or others
identified by the patient as involved in the patient’s care or payment for health care
 Document the patient’s decision
 Use professional judgment to determine if disclosing PHI would be in the patient’s best interest if the patient is unable to agree
or object
HIPAA Patient Rights
 Under the HIPAA Privacy Regulations, patients have the right to:
~ Receive the Notice of Privacy Practices
~ Inspect and request a copy of their PHI
~ Know to whom their information is being disclosed in certain situations

Also, the HIPAA Privacy Regulation give the patient the right to:
~ Request restrictions on use and disclosure of their PHI
~ Request an amendment to their PHI
~ Request confidential communications of their PHI
Patient Access to PHI
 Access Process
~ Patient must make written request to see or to copy PHI
~ A request for access may be denied in certain circumstances
~ The facility has a time limit for responding to such requests
Accounting of Disclosures
 Patients have the right to request an accounting of certain types of disclosures relating to their PHI
~ The request must be in writing
~ The facility has a time limit for responding to such requests
 Not required for
~ All uses and disclosures of PHI relating to TPO
~ Disclosures of PHI of inmates to prisons
~ Disclosures of PHI made before April 14, 2003
~ Uses and disclosures of PHI authorized by the patient
Amendment Rights
 A patient, or patient’s legal representative, can request an amendment be made to PHI
 Examples of why a patient may request to amend a record
~ Wrong sex of baby documented in the mother’s medical record
~ Wrong date of service documented in the medical record
~ Change of address
 Amendment Process
~ Requests must be written, except in the case of requests for basic demographic information, which may be verbally
~ The request may be made in person, by facsimile, or by mail
~ The facility will verify the identity of the person requesting the amendment
Confidential Communications
 Patients have the right to request confidential communication regarding PHI
 The facility must accommodate reasonable requests made by individuals to receive communications of PHI by alternative
means or alternative methods
 The facility requires requests to be submitted in writing
 The facility may deny then request only if the patient fails to provide an alternate communication method and payment, if
applicable
HIPAA Compliance
 Compliance with the HIPAA Privacy Regulations and HIPPA Privacy Policies is a part of the compliance culture of the facility
 Compliance with HIPAA and our facility’s privacy practices are part of your job responsibilities
 Noncompliance or privacy breaches may result in disciplinary action
~ Verbal or written warnings
~ Suspension from duties
~ Termination
~ Other
Privacy Complaints
 Complaints or alleged violations should be reported to the facility Privacy Officer
 Individuals may also call the Ethics and Compliance Hotline
 The Privacy Officer will initiate an investigation into the complaint or alleged violation
Privacy Policy Enforcement
 The facility will impose disciplinary actions against employees who violate the privacy policies, procedures, and practices
To Recap:
 This facility is committed to and serious about patient privacy
 All complaints regarding patient privacy will be taken seriously
 The facility will investigate all privacy complaints
 Employees who violate the HIPAA Privacy Policies or any privacy practices and procedures will be disciplined per HR 1400
Remember…..it could be your health information that someone is talking about.
Hospital Specific information:
DRMC has formed an Organized Health Care Arrangement (OCHA) with its medical staff to enable the sharing of PHI.