HIPAA

advertisement
HIPAA
HIPAA
What
Why
Who
How
When
What Is HIPAA?
Health Insurance
Portability &
Accountability
Act of 1996.
Why Do We Need HIPAA?
The purpose of HIPAA is to
protect confidential health
care information through
improved security and
privacy standards.
Who Must Comply With HIPAA?
Every employee of a health
care facility or provider that
handles protected patient
health information will have to
comply with HIPAA regulations.
What Must Be Kept Confidential?
PHI:
Protected Health
Information
The HIPAA privacy rule defines the type of information that must be kept private by categorizing
it as “Protected Health Information,” or PHI for short. Healthcare organizations must have policies in place
that maintain the privacy of PHI.
What is PHI?
Protected Health
Information
PHI (Protected Health Information)
Health information is any
information, (verbal,
electronic, or written) that
relates to a person’s physical
or mental health, or payment
information.
Examples of Personally
Identifiable Information
Name
SSN
Driver’s license
Address
Telephone number
Marital status
Financial information
Parental status
Gender
Race
Religion
Medical Condition
Test Results
Income
Minimum Necessary
What can I access?
Only information you “need to
know”to do your job
Accessing, using, or disclosing PHI on a
need to know basis to get your job done is
an important concept under HIPAA known
as “minimum necessary.” Working in a
healthcare organization does not entitle a
person to access any and all patient
records in the organization. You can
access only the information you need to
know to get your job done.
Does the minimum necessary standard apply in every situation? No – the
minimum necessary standard does not apply when accessing, using, or
disclosing PHI for treatment of the individual. It also does not apply to the
patient – they can have access to their protected health information.
Incidental Disclosure
The Privacy Rule does not say
that health information will
not be accidentally over
heard. But everyone should
make every effort to prevent this
from happening.
Examples of Incidental Disclosure
Calling a patient’s name in a
waiting room
A sign-in sheet is ok as
long as it does not list a
reason for the visit
Examples of Verbal Risk
Discussing personal health
information with a patient in a
waiting room when there is risk of
others overhearing the conversation.
Examples of Verbal Risk
Personal health information should
not be discussed in public areas such
as elevators, hallways, parking lots,
or bathrooms.
a
Examples of Verbal Risk
You should never discuss a patient’s
personal health information with
friends, family, or neighbors.
Examples of Visual Risks
Leaving documents that
you know contain PHI in
the open, unprotected
and easily accessible by
anyone
How Do I Know...
…when information is considered private?
-Did you learn it through your job?
-If yes, then it is considered private!
a
Internal Security Violations
• Taking advantage of computer glitches that
mistakenly allow access to a patient’s medical
record
• Deliberately gaining access to patient data
• Sharing pass codes
• Leaving documents with patient information
visible in an open area
How Do I Handle…
…An individual asking for access to their
record?
•
•
•
Individuals have a
right of access
Route requests to
appropriate department
or staff
Do not attempt to provide or get this
information yourself
How Do I Handle…
…An individual’s request to
change their medical record?
•
•
•
Individuals have the right to
amend or correct their record
Route requests to appropriate
department or staff
Do not attempt to handle
yourself
How Do I Handle…
…A family member or close
friend asking about a patient?
•
•
Tell them to call
Directory information
Do not attempt to
answer yourself
How Do I Handle…
…Co-workers asking about a patient’s
condition or treatment?
•
•
Route request to appropriate department
or staff
Do not attempt to provide
or get this information
yourself
Penalties
• If you break the
a
rules, you can
face civil and
criminal penalties
• If found guilty
you can be fined
and/or sentenced
to jail
Civil Penalties
• $100 per wrong act
• up to $25,000 per person,
per year for each rule broken
a
Criminal Penalties
• $50,000 & 1 year in jail if found guilty of
telling protected health information
• $100,000 & 5 years in jail if found guilty of
obtaining or disclosing protected health
information under false pretenses
• $250,000 & 10 years in jail if found guilty
of obtaining and disclosing PHI with intent to
sell, transfer, or use for cash, personal gain,
or malicious harm
“Privacy-friendly” Practices
•Abide by the Notice of Privacy
Practice & Confidentiality
•Avoid discussing personal
health information
•Keep health information out
of public areas
“Privacy-friendly” Practices
•Secure records in all locations
•Respect an individuals’ right
to privacy during treatments
HIPAA Security
HIPAA security applies to physical, technical and
administrative safeguards that are put in place to
protect the confidentiality of information.
Passwords
ID Numbers
File Cabinets
Coded information
When complying with security
standards…
Organizations should always access what
resources need to be protected, determine
the cost for protection and access the
likelihood of loss or compromise.
Organizations should train all employees on
day-to-day procedures that ensure the
protection of information.
Ways of Insuring that
information is protected
• Faxes should never be left unattended or in places
where unauthorized people can view them.
• Passwords should be changed regularly. Children’s
names, pet’s names, spouse’s names and birthdates
should never be used as passwords.
• Information on computer monitors should not be
visible to unauthorized people.
• Files should always be closed and coded. Personal
information should never be on a file’s cover.
What Can You Do?
• Be aware of patient information and how
it is used or handled.
• Look for ways to insure the information is
not available to unauthorized individuals.
• Shred when appropriate.
• Password protect your computer.
• Never leave files open on your desk or at
the copier.
Organizations can prevent access the
unauthorized data by implementing
procedures at time of employee
termination.
1. Change all combination locks
2. Removal of terminated employee for access lists
3. Removal of user account(s)
MCG Compliance/
Privacy Officers
• Please report any
violations to the MCG
Privacy Officer at
721-2661, or call
MCG’s Legal Office at
721-4018
Download