Committed To World Class Service HIPAA: YOUR GUIDE TO PRIVACY AND SECURITY at SALINA REGIONAL HEALTH CENTER Revised October 2013 Committed To World Class Service HIPAA - WHAT IS IT? HIPAA stands for Health Insurance Portability and Accountability Act of 1996. Until HIPAA was passed, rules to protect personal health information did not exist. Congress saw HIPAA as an opportunity to move health care into the electronic age. HIPAA sets national standards for the written, oral, faxed, and electronic management of patient information. It is illegal to violate HIPAA. HIPAA: • requires healthcare organizations to notify patients of their health information rights. • requires healthcare organizations to obtain patient consent before sharing protected health information with others unless the information will be used for treatment, payment, or healthcare operations. • sets standards to protect the integrity, availability, and confidentiality of information. WHO MUST ABIDE BY HIPAA? Healthcare providers - hospitals, clinics, nursing homes, physicians, suppliers, and others who furnish, bill, and/or are paid for providing healthcare services Health plans - group health plans, health insurance issuers, Medicare, Medicaid, and all governmental healthcare programs for military personnel, their dependents, veterans, etc. Clearinghouses - billing services, repricing companies, "value-added" networks, etc., that are involved in the processing of health claims Confidential Information Confidential information takes on many forms. It can be information printed on paper, or data files stored on a computer, a hand-held device such as a smartphone, computer media, or voice mail. Regardless of the form it takes, you are responsible to protect it from unauthorized disclosure or modification. Committed To World Class Service HIPAA VIOLATION PENALTIES In addition to internal disciplinary action, HIPAA violations can lead to civil sanctions and fines. Criminal penalties for "wrongful disclosure" could result in large fines and/or jail time. Serious offenses include: • knowingly releasing patient information. This can lead to one year in jail and a $50,000 fine. • gaining access to health information under false pretenses. This can lead to five years in jail and a $100,000 fine. • releasing patient information with harmful intent or selling patient information. This can lead to ten years in jail and a $250,000 fine. Due to the Kansas Risk Management law, if an investigation determines that an employee has committed a privacy violation, the violation will be reported to the employee's licensing agency. REMEMBER - HIPAA VIOLATIONS CAN HAVE SERIOUS CONSEQUENCES! Committed To World Class Service HIPAA- THINK ABOUT IT In today's world, health information is easily transported and increasingly accessible. Information management technologies increase the risks and threats to the privacy of personal health information. HIPAA provides a structure for compliance with standards to protect the privacy and security of health information. No matter where you work (health center, lab, radiology, business office, doctor's office, volunteer services, information technology, patients' homes, etc.), or whether you have a direct patient care role or not, it is important to know the meaning of privacy, security, and confidentiality! • As a student at SRHC, you are expected to keep privacy, security, and confidentiality central to providing quality care. • Remember that PATIENTS have the right to control who sees their health information. • In the past, privacy, security, and confidentiality were considered to be ethical obligations. Despite this, many situations led to health information ending up in the wrong hands. HIPAA seeks to correct breaches of privacy, security, and confidentiality. • REMEMBER - MAINTAINING PATIENT PRIVACY, SECURITY, AND CONFIDENTIALITY IS THE LAW! Committed To World Class Service HIPAA: IMPACT ON CLINICAL PRACTICE HIPAA has had a significant impact on clinical practice. HIPAA does the following: • Gives patients more control over their health information. • Sets boundaries on the use and release of health records. • Establishes safeguards that healthcare providers and others must provide to protect the privacy of health information. • Holds violators accountable, with civil and criminal penalties that can be imposed if it is determined that a patient's privacy rights were violated. • Strikes a balance when public responsibility supports disclosure of some data to protect public health (as in the case of child abuse). HIPAA changes every facet of health care, including the way clinicians work, how data is accessed, how healthcare information is stored and shared, and authorizations and consents. It is important that you: • share or use only the minimum amount of health information necessary to communicate information about patients. • are aware of what patient information you are legally allowed to share and with whom. • discuss a patient's personal health information in private. • shred patient information instead of just throwing it in the trash. • never leave patient information unattended in an area where unauthorized people can see it. Committed To World Class Service COMMUNICATION OF HEALTHCARE INFORMATION HIPAA dramatically changes how healthcare information is communicated. Keep in mind: • Display of patient information on a white board must be out of the view of the public. • Phone communication requires more verification prior to giving out patient information. • Communication with or about patients that involves sharing patient health information must be conducted in private and limited only to those who need to know the information in order to provide treatment, payment, and/or healthcare operations. • It is important for you to know to whom patients have approved the release of personally identifiable health information. Committed To World Class Service HIPAA- TERMS TO KNOW Health Information (HI) - refers to information in ANY form (oral, written, electronic) related to an individual's past, present, or future physical or mental health, including the services delivered and the method of payment. Protected Health Information (PHI) - refers to any individually identifiable health information (IIHI) that is transmitted or maintained in any form. Electronic Protected Health Information (EPHI) - refers to any individually identifiable health information that exists in or is transmitted in electronic form. WHAT IS IDENTIFIABLE INFORMATION? • Names • Addresses • Employers • Relatives' names • Dates of birth • Telephone & fax numbers • E-mail addresses • Social Security numbers • Medical Record numbers • Member/account numbers • Certificate numbers • Voice Prints • Finger prints • Photos • Codes • Any other characteristics which may be used to identify an individual (for example, occupation) Committed To World Class Service DID YOU KNOW? Patients are concerned about privacy. In a November 2000 Gallup Poll commissioned by Medic Alert: • 77% of the people surveyed feel their personal health privacy is very important. • 84% were somewhat to very concerned that their personal health information might be available without their consent. • 90% said they trust their doctor to keep their personal health information private and secure, and 66% said they trust a hospital to do the same. • 42% said they trust their insurance company. • Only 7% were willing to store or transmit personal information on the Internet, and only 8% felt a web site could be trusted. REMEMBER • Healthcare providers are bound by law to protect patients' privacy and security. Increased access to healthcare information leads to increased risks for misuse. Committed To World Class Service MISUSE OF HEALTH INFORMATION People assume that discussions they have with healthcare providers will remain private. They expect that their private health information will not be shared inappropriately with others. When people don't trust healthcare providers, they: • do not obtain treatment. • give incomplete or inaccurate information. • try to pay for services out of pocket to prevent insurance claims. • change healthcare providers frequently. • ask physicians to NOT document actual conditions. REMEMBER Medical information is some of the most sensitive and personal information that is collected and shared. Privacy is central to the healthcare provider/patient relationship. Committed To World Class Service Sshhh: PRIVATE MEANS PRIVATE If your role as a student requires you to discuss healthcare information with patients, be sure to assess the environment before you start talking. Are there other people in the area who might hear the information you are sharing? Are those people authorized to hear the information you are sharing? Patients have the right to expect that they can talk to their healthcare providers in private and that their protected health information will be shared with (or overheard by ) only those people they have authorized. RESPONSIBILITIES You should also use caution when discussing information with other providers involved in a patient's care. Make sure that people who DON'T NEED TO KNOW about a patient's medical condition don't hear your conversations. Committed To World Class Service HIPAA AND PATIENT RIGHTS HIPAA regulations give patients the right to: • determine who can see and hear their personal health information (PHI). • inspect their medical records and, for a reasonable fee, obtain copies of those medical records if they want them. • restrict the use and release of information. • file complaints based on violation of privacy rights. • exclude their names from patient directories. • request confidential or alternative communication methods. • request a list of when and where their confidential information was released. Committed To World Class Service HIPAA AND CONFIDENTIALITY REMEMBER Information about patients is considered confidential whether it is written, saved on a computer, or spoken out loud. Information includes name, address, age, social security number, past medical history, reason for visit, etc. As a student in a healthcare setting, it is important that you take steps to protect the privacy of patients. Committed To World Class Service PROTECTING PRIVACY: IT'S EVERYONE'S JOB! • Use care when you discuss patients' health information. Don't hold discussions in hallways, elevators, cafeterias, or other public places in the health center. Always make sure that your discussions with patients, staff, family members, etc., can't be overheard. • Do not leave open charts, lab results, medications, or other sensitive information out in the open where others can see it. Keep test results private. • Do not use the intercom to provide health information to patients or other staff members. • Make sure you know whether or not a patient has opted out of the directory. • DO NOT GIVE HEALTH INFORMATION to family members or friends unless you are authorized by a patient to do so. • Keep records locked and accessible only to those people who need them in order to do their jobs. • Make sure that posted or written information about patients can't be seen by the public Committed To World Class Service PROTECTING PRIVACY: IT'S EVERYONE'S JOB! • Provide a private area for patients to discuss their health concerns, financial information, etc. with physicians and other staff. • Knock on doors before entering patient rooms. Draw privacy curtains and close doors when appropriate. • If you are unsure about whether or not you should provide information about a patient, ask your supervisor for assistance. • If you overhear employees, students or observers discussing patients inappropriately, remind them of confidentiality policies. Report problems if you know of them! • When you leave a computer terminal, make sure you LOG OFF or LOCK the workstation to prevent others from accessing patient information under your log-in. To lock the workstation, hit the Ctrl Alt Delete keys, then click the "lock workstation" tab. SPECIAL NOTE: Keep in mind that if you share a computer workstation with others (i.e. at a nurse’s station), it is best for you to log off the workstation when you step away instead of locking it. If you lock the workstation, other staff will be unable to log in to the workstation until you return and log off. • WHEN YOU LOOK FOR INFORMATION ON PATIENTS, REMEMBER - ONLY SEEK INFORMATION YOU NEED TO KNOW IN ORDER TO DO YOUR JOB PROPERLY. Committed To World Class Service THE "NEED TO KNOW" RULE Patient privacy boils down to one main point - the "need to know." Believe it or not, as a student at SRHC, you do not have the right to look at all the information available on every patient. For example, a student on 3 Center does not have the right to look at the medical record of a friend on 2 Center. Not all students need to see patient health information about patients, and some only need to see partial patient information. Before looking at patient information, ask yourself, "Do I need to know this to do my job?" If the answer is "yes," you are allowed to access the information. If the answer is "no," access to the information is NOT ALLOWED. You will be in violation of HIPAA regulations if you access patient information you don't NEED TO KNOW in order to do your job. Many students at SRHC do not have access to computer-based or written patient information. Why? Because they don't need to know patient information in order to complete their clinical/observation. If a fellow student asks you about a patient, only provide information if he/she is directly involved in the patient's care and needs to know the information in order to appropriately care for the patient. Remember the SRHC rule of thumb - ask yourself, "Do I need to know this to do my job?" YOU SHOULD NOT ACCESS ANY INFORMATION THAT YOU DO NOT NEED TO KNOW IN ORDER TO DO YOUR COMPLETE YOUR CLINICAL/OBSERVATION. Committed To World Class Service HIPAA AND THE HOSPITAL DIRECTORY The following protected health information can be maintained in a patient directory: name, location in the hospital, condition described in general terms (good, fair, poor), and religious affiliation. SRHC must inform patients of the protected health information that may be included in the directory and to whom it might release the information (including clergy). SRHC provides patients with the opportunity to restrict or prohibit some or all of the uses or disclosures. • If a patient chooses to have his/her name published in the directory, then patient name, room number, general condition (serious, poor, fair, good, etc.) will be given to people who ask for the patient by name. • If a patient chooses NOT to have his/her name in the directory, then mail will be returned, flowers will not be delivered, and people asking for the patient by name will be told, "There is no one by that name listed in our patient directory." • Patients who do NOT want to have their names in the directory will be listed on the white board using first and last initials. Additionally, a star should be placed by those patients' initials. Committed To World Class Service TIME OUT FOR PRACTICE Hilda is observing on a unit in the hospital where Celia, a member of her church, is currently hospitalized. Hilda knows that Celia's family could use some help with meals, transportation, and babysitting. Hilda also knows that members of the church would be happy to help Celia's family, but the problem is that nobody from church knows that Celia is in the hospital. Hilda can get Celia's family the help it needs by making a quick phone call to the church. In accordance with HIPAA regulations, Hilda should: call her pastor, explain the situation, and arrange to have healthy meals taken to Celia's home for the next five days. do nothing unless Celia gives her the authorization to call the church and get help for her family. Click to the next screen to find out the correct answer. Committed To World Class Service TIME OUT FOR PRACTICE Hilda is observing on a unit in the hospital where Celia, a member of her church, is currently hospitalized. Hilda knows that Celia's family could use some help with meals, transportation, and babysitting. Hilda also knows that members of the church would be happy to help Celia's family, but the problem is that nobody from church knows that Celia is in the hospital. Hilda can get Celia's family the help it needs by making a quick phone call to the church. Before Hilda can call the church, Celia must give her authorization. If Hilda calls the church without getting Celia's authorization, she is in violation of HIPAA regulations. In accordance with HIPAA regulations, Hilda should: call the church pastor, explain the situation, and arrange to have healthy meals taken to Celia's home for the next five days. do nothing unless Celia gives her the authorization to call the church and get help for her family. INCORRECT CORRECT Committed To World Class Service TIME OUT FOR PRACTICE You hear a "Code Blue" called on the Mother/Baby unit, and you are curious to know who coded and why. You know the unit secretary on Mother/Baby, so you call her to find out what happened. According to HIPAA regulations, should the unit secretary give you the information you are requesting? Yes, because you tell her you won't share the information with anyone else. You tell her you are just curious to know what happened because it is unusual for someone to code on the Mother/Baby unit. No, she shouldn't give you any information unless you can demonstrate a legitimate NEED TO KNOW. Any time patient information is requested for purposes other than treatment, payment, or operations, its release must be authorized. Click to the next screen to find out the correct answer. Committed To World Class Service TIME OUT FOR PRACTICE You hear a "Code Blue" called on the Mother/Baby unit, and you are curious to know who coded and why. You know the unit secretary on Mother/Baby, so you call her to find out what happened. Based on the information provided in the scenario, you are seeking information out of curiosity. It doesn't matter that you promise to keep the information to yourself. You do not NEED TO KNOW any information about the patient who coded and why she coded; therefore, the unit secretary should not give you the information you are requesting. According to HIPAA regulations, should the unit secretary give you the information you are requesting? Yes, because you tell her you won't share the information with anyone else. You tell her you are just curious to know what happened, because it is unusual for someone to code on the Mother/Baby unit. INCORRECT No, she shouldn't give you any information unless you can demonstrate a legitimate NEED TO KNOW. Any time patient information is requested for purposes other than treatment, payment, or operations, its release must be authorized. CORRECT Committed To World Class Service KEY POINTS REGARDING TECHNOLOGY: • Use the "NEED TO KNOW " rule before you access electronic personal health information. ONLY ACCESS PATIENT INFORMATION YOU NEED TO KNOW IN ORDER TO PERFORM YOUR JOB RESPONSIBILITIES. • Once you log on to a computer workstation, ALL ACTIVITY UNDER YOUR LOG-IN IS TRACKED AND ATTACHED TO YOUR NAME. Even if you are only stepping away from the computer terminal for a brief time, it is very important that you protect yourself by either logging out of or locking the workstation. • To lock the workstation, hit the Ctrl Alt Delete keys, then click the "lock workstation" tab. If you forget to log off or lock the computer workstation and someone uses that workstation to inappropriately access patient information, you could be held responsible in the event a complaint is filed. Why? Because the inappropriate activity will be attached to your log-in Remember, if you share a computer workstation with others (i.e. at a nurse’s station), it is best for you to log off the workstation when you step away instead of locking it. If you lock the workstation, other staff will be unable to log in to the workstation until you return and log off. • Make sure you enter information into the computer in a timely, accurate manner. Timeliness and accuracy ensures that appropriate information is available for medical decision-making. For example, failure to document a medication at the time it is administered could cause the medication to be duplicated or could give the appearance of omission or chart tampering. User IDs Your user ID uniquely identifies you. You are responsible for all actions associated with your user ID; therefore, it is important to ensure that your user ID is used only by you and no one else. You will be held responsible for the actions of another individual if you allow them to obtain and use your user ID and password or allow them access to patient information in a clinical application while you are logged on. Committed To World Class Service COMPUTER WORKSTATIONS Take these steps if you work with computers: • Angle your computer away from public access/view. • Keep all PDA's, laptops, and media locked up when not in use. • Log off the system at the end of the work day. Log-off or lock the workstation when you leave your work area. • Even if you don't share a computer with someone else, it is possible that someone could try to illegally access information on your computer. Never leave secure information unattended while you are logged onto a secure system. • Never allow anyone to use a secure system for which he/she does not have access after you have logged onto the system. Committed To World Class Service TIME OUT FOR PRACTICE A classmate needs to look up information on a patient; however, you are currently logged into the computer he needs to use. You tell him to "go ahead and look up the information" and then log off the computer. Four months later, while checking up on a reported HIPAA violation, investigators discover that patient information was inappropriately accessed under your log-in. The problem is, you know you weren't the one who did it! Do you have anything to be concerned about? Yes, this is a problem for you because all activity conducted under your log-in is tracked and attached to your name. If a complaint is filed, you could be held responsible for inappropriately accessing patient information. No, there is no problem for you because even though the information was accessed under your log-in, you weren't the one who did it. All you have to do is tell investigators that someone used your log-in to access patient records inappropriately, and all will be OK for you. Click to the next screen to find out the correct answer. Committed To World Class Service TIME OUT FOR PRACTICE A classmate needs to look up information on a patient; however, you are currently logged into the computer he needs to use. You tell him to "go ahead and look up the information" and then log off the computer. Four months later, while checking up on a reported HIPAA violation, investigators discover that patient information was inappropriately accessed under your log-in. The problem is, you know you weren't the one who did it! Remember, once you log into a computer, ALL ACTIVITY UNDER YOUR LOG-IN IS TRACKED AND ATTACHED TO YOUR NAME. Do you have anything to be concerned about? Yes, this is a problem for you because all activity conducted under your log-in is tracked and attached to your name. If a complaint is filed, you could be held responsible for inappropriately accessing patient information. No, there is no problem for you because even though the information was accessed under your log-in, you weren't the one who did it. All you have to do is tell investigators that someone used your log-in to access patient records inappropriately, and all will be OK for you. CORRECT INCORRECT Personally Owned Devices The IT department must approve any personally owned devices (including, but not limited to, laptops, tablets, iPads, and digital cameras) prior to being connected to workstations or the internal network. SRHC offers a “guest” wireless network for our patients, visitors or contractors. You may use personally owned devices with the guest wireless network on your personal time. Texting and Cell Phones Text messaging is not a secure form of communication. Text messaging of confidential information is not allowed. Taking pictures of computer screens containing confidential information is also not allowed. Reporting Security Incidents Notify the IT Help Desk (extension 7792) and your supervisor if you become aware of or suspect the following: – Theft of or damage to equipment – Unauthorized use of user passwords – Policy violations – Any other problems or questions with information security or patient privacy The Omnibus Rule and Business Associates • • • The HIPAA Rules define “business associate” to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI. Disclosure means the release, transfer, provision of, access to, or divulging in any manner outside the entity holding the information. Access means the ability or means necessary to read, write, modify or communicate data/information or otherwise use any system resource. The Omnibus Rule • Applies to: – Covered Entities (CE) refers to providers, hospitals, health plans – Business Associates (BA) – Subcontractors to Business Associates that handle Personal Health Information (PHI) on behalf of Business Associates Business Associates • BAs must comply with the technical, administrative, and physical safeguard requirements, as well as the policies and procedures and documentation requirements, for ePHI under the HIPAA Security Rule. • Direct liability for BAs under HIPAA would attach regardless of whether a BA, contractor and/or subcontractors have entered into the required business associate agreements. Committed To World Class Service HIPAA: SUMMARY As you go about your daily job tasks, keep HIPAA in mind. Think of every item of information or data about any person who obtains service from SRHC as health information. As you deal with patients and/or their information, keep in mind: • What is the information? • Who can hear or see the information? • Where is the information going? • How will the information be used? • How will I keep track of the information? • How and where is the information maintained? Failure to protect patient information and patient records by not following SRHC's privacy policy can have a serious impact on your status as a student at SRHC. Committed To World Class Service HIPAA: IF YOU HAVE QUESTIONS • For questions about privacy issues at SRHC, contact Kallie Burgardt, Privacy Officer, Ext. 6897. • For questions about computer security issues at SRHC, contact Larry Barnes, Chief Information Officer, Ext. 7703. TO REPORT A BREACH OF PRIVACY OR SECURITY, CONTACT BECKY GROSLAND, COMPLIANCE OFFICER, EXT. 7094. If a patient believes his/her right to privacy has been violated, he/she can write a letter of complaint and send it to SRHC or the U.S. Department of Health and Human Services. Contact Kallie Burgardt for details. THERE IS NO PENALTY FOR FILING A COMPLAINT. Committed To World Class Service HIPAA Our patients trust you to keep their information private and secure. Remember, “Entrusted with people's lives, we are privileged to provide quality healthcare service in a healing and spiritual environment."