Protecting Patient Privacy
Health Insurance Portability and
Accountability Act of 1996
HIPAA
1
What is HIPAA
And what does it govern?

2
A multifaceted piece of regulation covering three
areas:
1.Insurance portability
2.Fraud enforcement (accountability)
3.Administrative simplification (reduction in
health care costs)
a) privacy
b) security
The Compliance Deadline for HIPAA
Privacy
April 14, 2003
3
Covered Entities



4
Include most providers:
 Hospital, physicians practice, lab,
nursing home, pharmacy, other provider
organization
Clearinghouses
Health plans
Protecting Privacy
The Privacy Regulation

5
Protects individually identifiable
health information(PHI) that is
transmitted or maintained in any form
by covered entities.
Individually Identifiable Information
(PHI)

Includes demographic information that
identifies an individual and,



6
Is created or received by a health care provider,
health plan, employer, or health care clearinghouse.
Relates to the past, present, or future physical or
mental health or condition of an individual.
Describes the past, present or future payment for the
provision of health care to an individual.
Which of the following situations describe
proper techniques for protecting a patient’s
privacy and confidentiality?
1. A doctor brings a patient into an unused room to discuss
the patient’s medical condition.
2. A doctor who is reviewing a patient’s record leaves the
folder in the doctor’s lounge to review later.
3. A doctor e-mails a physician friend about a patient’s
condition. He explains the condition but omits any
identifying information regarding the patient.
7
Confidential Information
What Makes Information Identifiable?





8
Names
Addresses
Relatives’ names
numbers
Employers
Dates of Birth
Telephone and fax numbers
Photos
Social Security numbers
Medical record numbers
Member/account
Certificate numbers
Voiceprints
Fingerprints
Case Scenario # 1


9
Consider the example of a male patient in
the waiting room. He’s the only male in the
room. His physician is discussing his
condition- testicular cancer- with a nurse,
and everyone in the waiting room can hear
the conversation.
What could have been done differently
to protect this patient’s privacy?
Answer

10
The caregiver should have tried to find a
private room or area where details could
not be overheard. Even when the patient’s
name is not specifically used in
conversation,remember that details about
his condition can be identifying factors in
certain circumstances.
Case Scenario # 2

Mr. Olsen, a patient in a facility, has had an adverse
reaction to his medication. The nurse tries several times
to reach the patient’s physician for instructions, with no
success. Finally, she reaches the club where the
physician is attending a social event. She asks the
receptionist to tell the physician that Mr. Olsen has had
an adverse reaction to his medication, and she urgently
needs a call back.

What should the nurse have done
differently?
11
Answer

12
Leaving a message with someone other than
the physician that provides any identifying
details about the patient or his condition is a
breach of confidentiality. If the person receiving
the message knows Mr. Olsen, the information
about his presence at the facility and his
condition could lead to speculation about the
patient. The nurse should have simply requested
an immediate call back from the physician about
an urgent patient matter.
Case Scenario # 3


13
Susan is a nurse in the ER of a city hospital, and
she has just heard through the grapevine that a
fellow nurse is pregnant. The other staff
members would like to give this nurse a baby
shower, but nobody knows when the baby is due
or whether it is a boy or girl. Susan has access
to the records and could easily find the answers
to both questions.
Should Susan try to get the information?
Answer

14
Absolutely not. This is clearly an
unauthorized use of medical information.
Remember that you should never look at
the records of patients you are not helping
to care for.
Authorization

15
Authorization is required for the use and
disclosure of health information( PHI) for
purposes other than treatment, payment
or health care operations.
Ways to Protect Confidentiality

16
Minimum necessary standard:

Health care provided must make a reasonable
effort to disclose or use the minimum necessary
amount of protected health information( PHI).

Clinical staff are allowed to look at patient’s entire
record and share information freely with other
clinicians.

Do not pass on any PHI.
Ways to Protect Patient Privacy



17
Close patient room doors when discussing
treatments and administering procedures.
Close curtains and speak softly in semiprivate rooms when discussing treatments
and administering procedures.
Avoid discussions about patients in
elevators and cafeteria lines.
Ways To Protect………..

Do not leave messages regarding patient
conditions or test results on answering
machines or with anyone, other than the
patient.

Avoid paging patients using information
that could reveal their health issues.
18
Maintaining Records




19
Do not leave it unattended in an area
where others can see it.
When finished using PHI return it to its
appropriate location.
When finished looking at electronic PHI
log off the system.
Do not leave information visible on an
unattended computer monitor.
Maintaining Records…..

When discarding paper PHI make sure the
information is shredded in a secure bin.

Leaving paper patient information intact in
a wastebasket could lead to a privacy
breach.
20
Security Regulation and
Electronic Information



21
Send and store information on public networks
only in encrypted form
Implement procedures by which it is possible to
identify the senders and recipients of data and
that they are authorized to receive and decrypt
the information
Use passwords or other authentication
technologies to protect information
Case Scenario # 4

It has been regular practice to leave the
records system open and logged on at the
nurses’ station computer at the end of a
shift. This saves time during shift changes
for the staff who need to retrieve records.

Is this an allowable practice under
HIPAA?
22
Answer

23
NO. it may be a timesaver, but this
practice is not allowed. It is equivalent to
sharing a password. When many
employees gain access to the system
under the same password, there is no way
to audit who sees the records.The system
should be log off when not in use.
Case Scenario # 5

A man tells you that he is here to work on
the computers. He wants your password
to log on to the electronic medical record
system.

What do you do?
24
Answer

25
The best response is to ask the man who
at the organization contacted him. The
contact can take him to the appropriate
area and give him the information he
needs. If the repairman cannot tell you
who his contact is, call your supervisor.
Case Scenario # 6

You are just coming off from work at the
hospital, and a physician asked you to fax
her patient’s OT evaluation findings to her
office fax. The findings are ready, but it is
after hours, and none of the physician’s
staff are available to receive the fax.

What do you do?
26
Answer

27
Don’t send the fax to an unattended machine
unless you have been assured that it is in a
locked room or has a locked cover. You have no
way to ensure that someone will not see the fax
besides the physician or his staff. Leave a
phone message at the physician’s office asking
them to call for a fax of the OT evaluation
findings that were requested. Make sure not to
leave the patient’s name or other identifying
information on the message.
Helpful Hints to use When
Working With Computers



28
Review your organization’s policies on
using computers
Do not use work e-mail for personal
messages
Never share or open attached files from
an unknown source
Helpful Hints…..



29
Never send confidential PHI in an e-mail unless
your facility has a policy that allows it and
mechanisms in place to protect the information
Always double-check the address line of an email before you send it
Never share your password or log on to the
system under someone else’s password
Helpful Hints….

Always keep computer screens pointed
away from the public

Never remove computer equipment, disks,
or software from the facility unless you
have permission
30
Exceptions to the Rule

Laws that require providers to report certain
communicable diseases to state health agencies
when patients have these diseases, even if the
patient doesn’t want the information reported.

The Food and Drug Administration requires
providers to report certain information about
medical devices that break or malfunction.
31
Exceptions .…..

Some states require physicians and other
caregivers who suspect child abuse or
domestic violence to report it to the police.

Police have the right to request certain
information about patients when
conducting a criminal investigation.
32
Exceptions…..



33
Certain courts have the rights,in some
cases, to order providers to release PHI.
Providers must report cases of suspicious
deaths or certain injuries, such as gunshot
wounds.
Providers report information about
patients’ deaths to coroners and funeral
directors.
Reporting Abuses

34
If a patient, a member of the public, or an
employee suspect that an organization is
NOT complying with HIPAA, that person
can file a complaint with the Office for Civil
Rights (OCR) in the US Department of
Health and Human Services.
Enforcement

Breaking HIPAA privacy or security rules can
mean either a civil or a criminal sanction:



35
Knowingly releasing PHI can result in one-year jail
sentence and $ 50,000 fine.
Gaining access to PHI under false pretenses can
result in a five-year jail sentence and a $ 100,000
fine.
Releasing PHI with harmful intent or selling the
information can lead to a 10-year jail sentence and a
$ 250,000 fine.
Third Party Contractor- What is a
“Business Associate”?

A person (vendor) who performs or assists
a provider or health plan in the
performance of:


36
A function or activity involving the use or
disclosure of PHI, or
Any other function or activity regulated by the
HIPAA Privacy Rule
Business Associates

Examples of business associates:





37
Transcription services
Physicians
Utilization review contractors
Device manufacturers
Accreditation organizations
Who is not a business associate



38
Most delivery services
The long distance telephone supplier
Housekeeping services
Summary

HIPAA requires organizations to have
policies and procedures in place that:



39
dictate how employees can use PHI
when they can disclose it
and, how they should dispose of it
Acknowledgement

40
My sincere thanks to Dr.Elsayed AbdelMoty for providing the materials for this
presentation.
Final Exam
41
Which Area is not Addressed by
HIPAA?




42
Insurance portability
Hospital accreditation
Fraud enforcement
Administrative simplification
What are considered “covered
entities “ under HIPAA?




43
Hospitals only
Hospitals and payers only
Most providers, clearinghouses, and
health plans
Accredited nursing homes, home health
agencies and hospitals only
What are the two kinds of
sanctions under HIPAA?




44
Egregious and inadvertent
Criminal and civil
Warranted and unwarranted
Security and privacy
Which organization has been charged with
enforcing HIPAA’s privacy regulation?




45
The Joint Commission on Accreditation of
Healthcare Organizations
The Office for Civil Rights
The Centers for Medicare and Medicaid
Services
The Federal Bureau of Investigation
What kind of personally identifiable health
information is protected by HIPAA’s privacy
rule?




46
Written
Electronic
Spoken
All of the above
Which of the following are common features
designed to protect confidentiality of health
information contained in patient medical records?




47
Locks on medical records room
Passwords to access computerized
records
Rules that prohibit employees from looking
at records unless they have a need to
know
All of the above
Confidentiality protections cover not just a patient’s health
information, such as the diagnosis, but also other identifying
information such as Social Security number and telephone
number.

48
True or false?