HIPAA Privacy &
Information Security
Alegent Health is a faith-based health ministry sponsored by Catholic Health Initiatives
and Immanuel Health Systems.
1
Overview
HIPAA Privacy & Info Security
What is HIPAA and why should I care?
 HIPAA is the Health Insurance Portability and
Accountability Act of 1996. This presentation will
focus on those sections of the law related to Privacy
and Information Security as it applies to Alegent
Health.
HIPAA:
 Provides patients with more control over their health
information
 Sets boundaries on the use and disclosure of medical
records
 Establishes safeguards for the protection of PHI
 Holds violators accountable with civil and criminal
penalties
Overview
HIPAA Privacy & Info Security
The consequences for non-compliance can be serious, including
termination of contracts with our vendors, restriction of access
for physicians offices and performance improvement for our
workforce, including termination and criminal charges. The
financial and personal consequences for violators are also
serious including fines up to $250,000.00 and up to 10 years
imprisonment. Several individuals have already been
prosecuted for breach of medical privacy.
Lastly, the practice of healthcare is founded on our patients’ trust
in us, including safeguarding private information and sharing
only what is necessary with those who have a need to know.
Patient trust encourages the free flow of information between
patient and provider – without it, patient care will suffer.
PHI – What is it?
HIPAA Privacy & Info Security
HIPAA Privacy rules protect individually identifiable
protected health information (PHI) from inappropriate use,
request or disclosure. PHI includes:
Name
Address
Contact Information
Diagnosis
Lab results
Patient Status
Billing Information
EOBs
Medical Records
Blood type
Symptoms
Relatives
Appointment schedule
Photographs
And any other information that can be tied to a patient’s past, present or
future health status and is created or maintained by Alegent Health.
Summary of the
Regulations
HIPAA Privacy & Info Security
1.
2.
3.
4.
5.
6.
7.
You must not use, request or disclose PHI except as permitted or
required by these regulations
You must make reasonable efforts to limit the use, request or
disclosure of PHI to the minimum necessary
You must not use or disclose PHI for marketing/fundraising
purposes without specific authorization
You must obtain satisfactory assurance that business associates
will safeguard PHI
You must recognize that de-identified data is not covered by
HIPAA
You must recognize and protect the 5 qualified privacy specific
patient rights under this rule
You must designate a Privacy Officer to ensure compliance with
HIPAA guidelines, train the workforce and provide a mechanism to
address concerns.
What does HIPAA
allow?
HIPAA Privacy & Info Security
We may NOT use, request or disclose PHI unless
HIPAA allows it – which is in varying degrees for:
 Treatment purposes
• PHI can be shared freely with other covered entities
 Payment activities (including collections)
• Minimum Necessary
 Bona fide healthcare operations (Performance
Improvement activities, etc.)
• Minimum Necessary
 As required by law (gunshot wounds, STDs)
• Minimum Necessary
 OR if the patient “says” to do so!
Patient Rights under
HIPAA
HIPAA Privacy & Info Security
Under HIPAA, patients have 5 qualified rights:
 The right to notice about how their PHI will be used
and disclosed
• The Notice of Privacy Practices given to each patient
 The right to have access to their PHI
• Usually a request to the Medical Records dept to get a copy
for themselves or another provider
 The right to request that access be restricted
• As with No Info patients
 The right to know who has accessed their PHI
• A request for an Accounting of Disclosures via Medical
Records
 The right to request amendment to their PHI
• Also managed through the Medical Records department
Communicating patient
information
HIPAA Privacy & Info Security
“General” patient information
 Unless a patient instructs us otherwise, if someone
asks about them by name, we can disclose:
• That the patient is in the facility
• The patient’s location (room #)
• Their condition in general terms
(undetermined, good, fair, serious, critical)
 This information can only be disclosed in response to
a request – we cannot offer it to anyone without them
asking us for it.
 If patients do NOT want “general information”
available, they can notify Registration or their
caregivers at any time and become a “No Info” patient
Communicating patient
information
HIPAA Privacy & Info Security
Releasing more detailed information to those
involved in the patient’s care or payment (lab
results, insurance info, treatment plan,
prognosis)…
 Disclosures of this nature should be directed by the
patient whenever possible. As long as an adult
patient is awake and competent, it is best to simply
ask them for permission to discuss/disclose the
information, and document the permission.
 We are also allowed to use professional judgment to
determine whether it is appropriate, based on the
person’s involvement in the patient’s current care or
payment
 If the patient objects at any time, discontinue
Shhhh!
HIPAA Privacy & Info Security
Privacy regulations include oral communication as
well as paper and electronic.
 Be aware of your surroundings.
 Avoid conversations about protected health information where
others may overhear.
 Take reasonable steps to avoid being overheard whether you are
talking face-to-face or on the telephone. If there is an office or
private area available, use it. Offices, clinics and hospital rooms
are NOT soundproof and being a patient or visiting family
member does not in itself negatively impact hearing
 REMEMBER - It’s a small world. Discussion at restaurants, bars
and ballgames have found their way back to our patients.
The basics…
HIPAA Privacy & Info Security
Do NOT
Access, use, request, review or disclose
protected health information in any form
whether paper, electronic or verbal
unless you need to do so to do your job.
Then access, use, request, review or
disclose only the minimum necessary to
achieve your legitimate purpose.
Safeguarding PHI
HIPAA Privacy & Info Security
If you are given electronic access to patient information,
you are subject to the following rules to safeguard PHI;
 Use only your own login and password, and never let anyone
else use them. Protect them as you would if they accessed your
bank account!
 Never sign into an application on a computer where someone
else is logged in. This will cause your logins to be linked and
could lead to inappropriate access on their part being attributed
to you.
 Log off or “flag out” when you walk away from the computer.
Flagging out (by holding down the Windows flag and clicking on
the letter “L”) will pop up the login screen. You need only enter
your password to be back where you were.
+ L = Flag Out
Safeguarding PHI
HIPAA Privacy & Info Security
Do not put PHI onto unencrypted devices!
 Amazing the number of time PHI has been lost or
stolen in the last few years – it’s in the news all the
time. Laptops are stolen out of cars, thumb drives
and backup tapes lost. Maintaining or moving PHI
while it is encrypted and password protected will also
protect you if something unfortunate happens!
Do not email PHI unless it is encrypted!
Protect records by keeping them in secure
locations. Do not leave them unattended where
passers-by can look at them!
Auditing
HIPAA Privacy & Info Security
One of the requirements of HIPAA is that we monitor
employee activity within our system
 The rule requires that we “Implement procedures to regularly
review records of information system activity, such as audit logs,
access reports, and security incident tracking reports.”
At Alegent Health, everyone who accesses our clinical and
billing software & systems should be aware that we do
audit and review activity. The primary systems will show:
 Whose record you accessed
 What was done, including simple review of patient info, edits, updates,
printing, screen changes, which screens were viewed, etc.
 The date and time of each activity
Consequences
HIPAA Privacy & Info Security
•Remember that an audit showing that you
inappropriately accessed records that you did not
need to access – including your own records, or
those of friends or family - will be addressed.
•Inappropriate access may lead to a suspension or
termination of access to the system – and may
lead to criminal or civil charges as well.
•Before you access – be sure it’s worth it!
Quick Quiz
HIPAA Privacy & Info Security
Joe heard that his grandmother was in the
hospital. He called the hospital to find out
her condition. Can her condition be
disclosed?
Yes. As long as Mrs. Jones hasn’t decided
to be a No Info patient, we can disclose the
room number and condition in general terms
such as good, fair, serious or critical.
Quick Quiz
HIPAA Privacy & Info Security
A person calls you, identifying themselves as the spouse of
a patient. Can we provide detailed patient information
based only on the fact that they are married?
No. Even if we are able to verify the callers identity as the
spouse, a person is not entitled to a spouse’s PHI based on
marriage alone. (As with any other caller, they can get
Facility Directory info - if the patient isn’t No Info).
If the patient has not communicated a desire to have their
spouse informed – either verbally or in written form - you
would need to determine if the spouse is involved in the
patient’s care or payment for that care, and to what extent
prior to any disclosure.
Quick Quiz
HIPAA Privacy & Info Security
Is it ok to discuss patient information in public areas as long
as you do not use the patient’s name?
No. Even without saying the name, others may be able to
determine who you are discussing – or think they know.
This is not an appropriate way to find out about a loved
one’s prognosis.
Even in an appropriate area, maintain professionalism. We
have had investigated several complaints stemming from
patients overhearing their caregivers making derisive
comments about them.
Quick Quiz
HIPAA Privacy & Info Security
Is looking up patient information out of concern or
curiosity ok, as long as you don’t disclose what
you see to others?
No. Access patient information only when you
have a legitimate, work related need to know.
Similarly, it is not appropriate to “just check”
whether someone is or has been a patient
because of something you’ve heard in the media.
Quick Quiz
HIPAA Privacy & Info Security
You are at work and see a friend as you walk down the hall. You stop
and say hello. They tell you that they are in for tests and you wish them
well and go on your way. When you get home, can you tell anyone
about your friend’s tests?
No. Any information that you gain while you are working as a member
of Alegent Health’s workforce or while visiting one of our sites must be
treated confidentially.
 Consider your friend’s situation – they may not have expected to
see you and (short of hiding behind a plant) could not avoid
speaking to you.
 In this type of situation, avoid direct questions about their reason
for being there and if your friend does give you details, ask if it
ok to share with others before doing so. Then be sure to say
you have permission when you share!
Certificate of
Completion
HIPAA Privacy & Info Security
Thank you for completing Alegent Health’s
HIPAA Privacy & Information Security
Training online.
Name
Date
Please print this page for documentation purposes.