HIPAA Privacy Training
Health Insurance Portability & Accountability Act of 1996
Standards for Privacy of Individually Identifiable Health
Information
45 CFR Parts 160 and 164
The Privacy Rule



Creates national foundation of privacy
Does not preempt more stringent state laws
Extends:
 Certain individual rights to privacy
 Protection of individual’s medical
records and health information
Who’s affected?
Direct impact:
 Health plans
 Health care clearinghouses
 Health care providers
(who transmit health information electronically)
Indirect impact:
 Business associates
(vendors, consultants, contractors)
What’s protected?
Protected health information (PHI) refers to:

Individually identifiable health information
relating to:
- Person’s past, present and future health or condition;
- Provision of health services to the person
- Past, present and future payment for health services
to the person


Information transmitted or maintained in any form
Includes data considered individually identifiable
What’s individually identifiable?










Name

Geographic divisions
smaller than State (with 
exceptions)
All dates (except year)

Phone & fax number

E-mail address

SSN
Medical record #

Health plan beneficiary
numbers

Account numbers
Certificate/license numbers
Vehicle identifiers and serial
numbers
Device identifiers and serial
numbers
Web URLs
IP address numbers
Biometric identifiers
(including finger, voice
prints)
Full face photo and other
images
Any other unique identifier
[164.514(b)(2)]
Rules for Use or Disclosure of PHI

Treatment, Payment, Health Care
Operations (TPO)
Opportunity to Object

Agreement or Authorization not required

(Exceptions)
Authorization

Permitted Uses of PHI
Use or disclosure permitted for:

Treatment



Some facilities may still require patient
authorization for release of PHI
Payment
Health care operations
(quality improvement, staff performance review,
training in areas of health care, accreditation,
medical review, audits, business planning and
development, general administration, etc.)
Opportunity to Object





Facility directories
To clergy
To persons involved in individual’s
care
Notification purposes
Disaster relief purposes
Agreement or Authorization
Not Required (Exceptions)






Required by law
Public health activities
Victims of abuse/
neglect/domestic
violence
Health oversight
Judicial/administrative
proceedings
Limited law
enforcement purposes






Coroners, medical
examiners & funeral
directors
Organ/tissue
donations
Research purposes
Serious threat to self/
others
Specialized
government functions
Workers’ comp
Authorizations
For all other uses or disclosures of PHI
Notice of Privacy Practices



Describes to patient how his/her protected
health information may be used or
disclosed
Details patient’s legal rights with regard to
own PHI and how to exercise those rights
Details legal obligations of Covered Entity
to protect PHI
Individual’s Rights







To receive Notice of Privacy Practices
To inspect and/or obtain copy of PHI
To request to amend PHI
To request limits on certain uses or
disclosures of PHI
To receive accounting of disclosures
To receive confidential communications
To file a complaint
Other Requirements





De-identification of PHI
Minimum necessary
Workforce training
Verification process
Business Associate Contract
Other Restrictions



Marketing
Fundraising
Specially Protected Health Information

Additional protections under Hawaii State
law relating to release of HIV, mental health
and substance abuse treatment records
Consequences
of Non-compliance

Penalties:


Civil: $100 per violation; up to $25,000
per year
Criminal: Up to $250,000 and/or 10
years in prison
Sanctions
A facility is required to sanction members of
workforce (including “students”) who violate
policies and procedures relating to privacy
and security of health information
 Student sanctions may include suspension or
termination of access privileges to PHI and/or
participation in educational programs at
facility

What You Need to Know
About Each Facility







Facility Directory
Family Involvement
Minimum Necessary
Appropriate Educational Access/Use
Requesting/Disclosing PHI for Treatment
Request/Disclosures to Govt. Agencies
Patient’s Request to Restrict Use or
Disclosure
What is a Facility Directory?


The information about a patient that a
hospital releases to callers, visitors or the
media
This information is limited to:



Location
Condition
May only release directory information to
people who ask for patient BY NAME
Facility Directory




Patient may ask that NO INFORMATION
be released to callers, visitors or media
Each hospital has procedures for patients
with NO INFORMATION status
You must be aware of the hospital’s
procedures
Do NOT release information in violation of
patient’s information status
Facility Directory
NO INFORMATION Status
 PATIENT’S LOCATION/CONDITION
WILL NOT BE DISCLOSED TO
ANYONE, INCLUDING FAMILY OR
FRIENDS
 Anyone asking for patient will be told, “We
have no information regarding the
individual.”
What should I do?
Scenario #1:
Q: I am approached in the hallway by someone who
asks me if I know what room a patient is in. I
saw the patient’s name on the unit I just left.
What should I do?
A: Refer the person to the nurses’ station,
information desk, or hospital operator. You do
not know whether the patient has requested a NO
INFORMATION status or other restrictions.
Family Involvement

A patient’s health information may be
disclosed to family, friends or others if:




Patient gives verbal agreement,
Patient has opportunity to object and does
not, or
You can infer from circumstances that patient
does not object
Emergency/incompetent patient - Release
information using professional judgement about
best interests of patient
Family Involvement



Information released must be directly
relevant to that person’s involvement in the
patient’s care or payment for that care
A patient has the right to request that you
not release information to family or others
If a patient asks that you not talk with
family or others, inform nursing staff of the
patient’s request
What should I do?
Scenario #2:
Q: The spouse of a patient I am seeing approaches
me in the hallway and begins asking me questions
about the patient. During my assessment visit,
the patient indicated that she did not want
information shared with her spouse.
What should I do?
A: A patient has a right to not involve family
members or others in his/her care. You should
not share any information with the spouse per the
patient’s request and you should alert the nursing
staff about the patient’s request.
Minimum Necessary


Need-to-Know Rule
Access to information is a privilege.
Individuals who are granted access have an
obligation to limit access and use to the
minimum necessary to perform their duties
and responsibilities.
Request/Disclose PHI
for Treatment Purposes

May request/disclose PHI for treatment
when:



Request is from a provider to whom you
referred patient for treatment, or provider’s
involvement in patient’s treatment is
documented in medical record, or
Patient has signed an authorization or release
for the disclosure to the provider, or
Provider has requested, in writing, the PHI
for treatment purposes
Request/Disclosure of PHI
to/from Government Agencies

Refer to nursing staff, attending
physician or Privacy Officer


Only minimum necessary may be
released
Must complete an accounting for the
disclosure
Patient’s Request to Restrict
Use or Disclosure of PHI


Facility may agree to patient’s request to
restrict use or disclosure of PHI for
treatment, payment or health care
operations
You must be aware of facility’s procedures
and where such restrictions would be
documented
Use of PHI for
Educational Purposes


Allowed without patient consent or
authorization
Parameters of use or disclosure of PHI
for educational purposes:




Appropriate access
Minimum necessary for the purpose
Protect and safeguard PHI
Appropriate disposal upon completion
“Facially De-identified”
Information



Use of “facially de-identified” PHI is permitted
for educational purposes
Remove all individual identifiers, except:
 Patient’s medical record number
 Dates of service
 Zip code
This information is still considered PHI, and
remains under federal privacy protections
“Facially de-identified”
means removing:









Name
Address
Phone & fax number
E-mail address
SSN
Health plan beneficiary
numbers
Account numbers
Certificate/license
numbers
Web URLs






Vehicle identifiers and serial
numbers
Device identifiers and serial
numbers
IP address numbers
Biometric identifiers
(including finger, voice
prints)
Full face photo and other
images
Any other unique identifier
Allowable Educational Access/Use







Treatment
Observation
Teaching Rounds
Retrospective Record or Data Reviews
Research (with IRB approval)
Case Presentations
Patient Logs
Is this okay?
Scenario #3:
Q: I heard about a very unusual case in the OR. As a medical
student, I am here to learn. I need to know more about the
details so I can gain a better understanding of the clinical
course. I plan to review the records before I leave for the
day. Is this okay?
A: No. While it might be argued that educational benefit can
be gained by reviewing unusual cases, such review should
be formally approved and presented. Individual access to
patient records in this type of situation is not appropriate.
Electronic records and systems are monitored for
inappropriate access.
Some Do’s and Don’ts:
Treatment and Observation
Can Do



Access medical records
of the patients you are
treating/caring for
Prepare class work with
patient identifiers
removed
Observe patient care with
approval from
department manager/
supervising faculty
Cannot Do



Obtain medical records of
patients you are not
treating/caring for
Use data (obtained from your
cases) that include patient
identifiers such as name,
address, birth date
Observe patient care without
appropriate approval or when
the patient has objected
Some Do’s and Don’ts:
Teaching Rounds
Can Do


Share patient information
during teaching rounds
Prepare class work using
data from your cases with
patient identifiers
removed
Cannot Do


Discuss patients in public
areas with no consideration of
surroundings
Include family members in
rounds unless patient has
agreed, or physician has
determined that inclusion is in
patient’s best interest
Some Do’s and Don’ts:
Retrospective Reviews
Can Do



Access medical records
with written approval of
supervising faculty member
Prepare class work using
collected data with patient
identifiers removed
Use aggregate or deidentified patient
information
Cannot Do




Use information collected
for research without IRB
approval
Publish or publicly present
findings without IRB
approval or waiver of
authorization
Contact the patient or the
patient’s physician
Abstract patient identifiers
Some Do’s and Don’ts:
Research
Can Do

With IRB approval:



Build database of patient
information
Access and use patient
identifiable information as
approved by IRB
Make a public presentation
or publish findings using
aggregate or de-identified
information
Cannot Do



Any research without IRB
approval or waiver
Publish or publicly present
findings that identify the
patient without patient
authorization
Access and collect patient
data in preparation for a
research project without
IRB approval or waiver
What should I do?
Scenario #4:
Q: My supervising faculty member has asked me to review
100 charts of newborn babies to determine whether or not
the delivery room temperature has an effect on babies.
Do I need IRB approval?
A: Maybe. If the intent is purely for quality improvement
without intent to publish findings and you will destroy the
database upon completion, then you do not need an IRB
approval or waiver. But if you intend to publish, present
or use the data you collected for any other purpose and do
not have the patient’s authorization or an IRB approval or
waiver, you would be violating the patient’s rights.
Some Do’s and Don’ts:
Case Presentations or Grand Rounds
Can Do



Access medical records with
written approval of supervising
faculty member
Prepare for presentation using
“facially de-identified”,
aggregate or de-identified
information
Limit audience to healthcare
students or professionals if
patient’s identify might be
inadvertently revealed
Cannot Do


Display or reveal patient’s
name or medical record
number in your
presentation
Present a high-profile or
unusual case that may
compromise patient’s
privacy without patient’s
written authorization for
disclosure
Patient Logs
You must “facially de-identify” all
information collected and submitted on a
Patient Log
Some Do’s and Don’ts:
“Facially De-identifying” Patient Data
Can Do

Use general terms to
describe a patient






Cannot Do

36 year old
White male
Living in Arizona
Admitted in October 2002

Construction worker
Black-out, delete or cut-out
patient identifiers on hard
copy
Leave patient identifiers in
information used/removed




Patient’s or relatives’ names
Birth dates
Address
Employer
Take copies of dictated reports
home with you (unless reports
are “facially de-identified”)
Some Do’s and Don’ts:
Accessing PHI
Can Do

Request access to PHI
through appropriate
channels


Request access to medical
records through Medical
Records
Submit completed
appropriate data request
form for data reports
Cannot Do



Remove medical records from
facility
Leave patient records or data
in break room or other areas
that are not secure
Out of curiosity, access the
records of a celebrity patient
or the records of a patient
with an unusual medical
condition
Is it okay?
Scenario #5:
Q: My friend was admitted yesterday after she
collapsed during a bike ride. I am very concerned
about her progress and would like to visit, but I
don’t know which room she is in. Is it okay if I
look up the information in the computer system?
A: No. Using your access privileges to look up
information about a patient when there is no
need-to-know (based upon your responsibilities
in the hospital) is a violation of patient
confidentiality.
Some Do’s and Don’ts:
Safeguarding Information
Must Do




Password-protect laptops or
PDAs
Shred “facially deidentified” papers when no
longer needed
Ensure memory/hard drive
has been wiped clean when
selling/disposing of a PC,
laptop or PDA
Encrypt PHI sent over
Internet
Cannot Do




Leave information
unsecured or in public areas
Discuss patients in elevator,
hallways or cafeteria
Dispose of “facially deidentified” information in
trash can; (it is still PHI
under HIPAA!)
Share your access codes or
cards
Questions?

For further information or questions, please
contact the facility’s Privacy Officer