Protecting Patient Privacy Health Insurance Portability and Accountability Act of 1996 HIPAA 1 Revised 1/6/12 Objectives 2 After completing this program you will be able to: Discuss the general concepts of HIPAA guidelines Adapt HIPAA guidelines for the various settings in which you might practice Discuss patient/client rights regarding his/her health information Objectives 3 Differentiate individuals who have a ‘need to know’ from those who do not. This determines those with whom you can discuss protected health information Discuss application of HIPAA to your role List legal and professional consequences of violating HIPAA rule HIPAA Health Insurance Portability and Accountability Act Federal law passed by Congress in 1996 Regulations promulgated by the Dept of Health and Human Services Guidelines implemented in April, 2003 What part do you play in implementing HIPAA? How does this law affect your role? 4 HIPAA regulations were designed to: 5 Protect individuals’ rights to privacy and confidentiality and Assure the security of electronic transfer of personal information The first…protecting privacy and confidentiality rights, is the subject of this instructional program. HIPAA applies to us all -- in all settings. That means at work, at home, on the bus, as well as the hospitals and clinics. 6 Why HIPAA? Genetic advancements 7 as more is known about our genetic predisposition to diseases, HIPAA will ensure that, for example, an individual is not denied insurance because the company knows that she may eventually develop Multiple Sclerosis Why HIPAA? Marketing 8 as information is more easily captured concerning, for example, the prescriptions we purchase, HIPAA is designed to prevent marketing of unsolicited products or services based on harvested marketing data Why HIPAA? Technology 9 as information is quickly and sometimes loosely moved around networks, HIPAA standards will hold violators accountable for accidental or intentional ‘interception’ of protected health information (PHI) Why HIPAA? An Atlanta truck driver lost his job after his employer learned from his insurance company that he had sought treatment for a drinking problem. The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission. Tammy Wynette’s medical records were sold to National Enquirer by a hospital employee for $2,610. 10 When and how often do I need to be certified? The law requires that we comply with the regulations and adhere to agency guidelines. The ‘certificate of completion’ you will receive upon the completion of this program will be valid for one year. Each fieldwork (FW) site has their own requirements. It is your responsibility to know and comply with the HIPAA requirements of your FW site. 11 What Objectives do the Privacy Regulations Accomplish for Patients? Give patients more control over their health information. Set boundaries on the use and disclosure of health records. Establish appropriate safeguards for all people who participate in or are associated with the provision of healthcare to ensure that they honor patients’ rights to privacy of their PHI. 12 What Objectives do the Privacy Regulations Accomplish for Patients? Hold violators accountable through civil and criminal penalties. Strike a balance when public responsibility requires disclosure of some forms of data--for example, to protect public health. 13 With HIPAA we now have new terms and abbreviations to learn!! 14 Protected Health Information (PHI) or Protected Medical Information (PMI) - This is any data about the patient that would tend to identify the individual Protected Health Information - (PHI) Includes demographic information that identifies an individual and, 15 Is created or received by a health care provider, health plan, employer, or health care clearinghouse. Relates to the past, present, or future physical or mental health or condition of an individual. Describes the past, present or future payment for the provision of health care to an individual. Examples of PHI include: 16 Name Address Social Security number Medical record number Date of birth Telephone number Photos Fingerprints Diagnosis Fax number Lab results With HIPAA we now have new terms and abbreviations to learn!! 17 Privacy Officer (PO) - Each facility will have an employee who is responsible for implementing and enforcing this law. Some may have one over a multi-facility network, others one at each site. As an occupational therapy student this individual (after your fieldwork educator) could be your point of information regarding HIPAA. New terms and abbreviations 18 Covered Entity (CE) - This includes any health plan, healthcare provider, agency that processes claims, and any company that subcontracts with them are covered by this law. New terms and abbreviations Release/Disclosure - These are terms used in describing the release of PHI to other CEs for TPO, treatment, payment, or health care operations. Accounting of Disclosure (AOD) - The patient has the right to have an AOD for his PHI or PMI. 19 New terms and abbreviations -This is CE’s census or list of patients used by volunteers and operators to direct visitors. Directory Different agencies may have other terms they use to communicate HIPAA policies. You will need to keep alert to these instances to comply with the spirit of the law. 20 New terms and abbreviations 21 Business Associate (BA): A person (vendor) who performs or assists a provider or health plan in the performance of: A function or activity involving the use or disclosure of PHI, or Any other function or activity regulated by the HIPAA Privacy Rule Business Associates Examples of business associates: 22 Transcription services Physicians Utilization review contractors Device manufacturers Accreditation organizations Who is not a business associate Most delivery services The long distance telephone supplier Housekeeping services 23 The next few slides will present the basic principles of HIPAA as it applies to the student role: • The seven rights in the HIPAA privacy guidelines • Using equipment--computers, printers, fax, and similar machines to transmit patient data • Identifying patients/clients PHI in school papers 24 The next few slides will present the basic principles of HIPAA as it applies to the student role: • Discarding or destroying papers containing patient PHI • Communicating privacy questions/concerns in the agency • Describing the consequences of violating HIPAA guidelines 25 Seven Patient Rights Regarding Privacy of PHI (Protected Health Information) Individuals have the right to: 1. Receive notice of an agency’s privacy practices. 2. Know that an agency will use its PHI ONLY for treatment, payment, operations (TPO), certain other permitted uses and uses as required by law. 26 Seven Patient Rights Regarding Privacy of PHI (Protected Health Information) 3. Consent to and control the use and disclosure of their PHI. 4. Access their protected health information (PHI), except for psychotherapy notes (they might be charged for copies) 27 Seven Patient Rights Regarding Privacy of PHI (Protected Health Information) 5. Request amendment or addendum to their PHI (not always granted) 6. Receive accountings of disclosures 7. File privacy complaints to agency officer 28 HIPAA Restricts Sharing PHI Personal information cannot be released to individuals or companies interested in marketing ventures, without the patient’s written permission. For example: 29 Names of patients on antihypertensive drugs cannot be released to a company marketing nutritional products to lower blood pressure. Names and addresses of pregnant women cannot be provided to infant formula companies. Contact information of previous patients cannot be used to raise money for a hospital building campaign. How do we assure patients’ rights to privacy and confidentiality? 30 Who has Access to PHI? The ‘Need-to-Know’ Principle PHI should be shared with as few individuals as needed to ensure patient care and then only to the extent demanded by the individual’s role. For example, the nursing assistant ‘needs to know’ only the facts concerning the patient’s current admission. 31 Protecting your patient’s PHI Take all reasonable steps to make sure that individuals without the ‘need to know’ do not overhear conversations about PHI. DO NOT conduct discussion about PHI in elevators or cafeterias. Do not let others see your computer screen while you are working. Be sure to log out when done with any computer file. Protecting your patient’s PHI When preparing care plans or other course required documents take extra care to: • not identify the patient/client. Do not use initials. • use other demographic data only to the extent necessary to identify the patient and his/her needs to the instructor. • protect the computer screen, PDA, clip board, or notes from other individuals who don’t have a ‘need to know’ • protect your printer output from others who do not have a ‘need to know’ • protect your portable drive/CD-ROM/PDA from loss • consider using the FW site’s network to save your documents, if available Protecting your patients’ PHI In your role, you are NOT to photoduplicate or fax a patient’s documents in the process of working with your patient’s PHI. As an intern of the clinical site you must use the site’s security procedures to transmit PHI. 34 Ways to Protect Confidentiality 35 Minimum necessary standard: Health care provided must make a reasonable effort to disclose or use the minimum necessary amount of protected health information( PHI). Clinical staff are allowed to look at patient’s entire record and share information freely with other clinicians. Do not pass-on any PHI. Ways to Protect Patient Privacy Close patient room doors when discussing treatments and administering procedures. Close curtains and speak softly in semi-private rooms when discussing treatments and administering procedures. Avoid discussions about patients in elevators and cafeteria lines. 36 Ways To Protect……….. Do not leave messages regarding patient conditions or test results on answering machines or with anyone, other than the patient. Avoid paging patients using information that could reveal their health issues. 37 Maintaining Records Do not leave it unattended in an area where others can see it. When finished using PHI return it to its appropriate location. When finished looking at electronic PHI log off the system. Do not leave information visible on an unattended computer monitor. 38 Maintaining Records….. When discarding paper PHI make sure the information is shredded in a secure bin. Leaving paper patient information intact in a wastebasket could lead to a privacy breach. 39 Destroying PHI/PMI DO NOT put notes with PHI/PMI in the trash or paper recycle cans. A paper shredder is available for these materials. Ask your FEW about its location. Helpful Hints to use When Working With Computers Review your organization’s policies on using computers Do not use work e-mail for personal messages Never share or open attached files from an unknown source 41 Helpful Hints….. Never send confidential PHI in an e-mail unless your facility has a policy that allows it and mechanisms in place to protect the information Always double-check the address line of an email before you send it Never share your password or log on to the system under someone else’s password 42 Helpful Hints…. Always keep computer screens pointing away from the public Never remove computer equipment, disks, or software from the facility unless you have permission 43 Exceptions to the Rule Laws that require providers to report certain communicable diseases to state health agencies when patients have these diseases, even if the patient does not want the information reported. The Food and Drug Administration requires providers to report certain information about medical devices that break or malfunction. 44 Exceptions .….. Some states require physicians and other caregivers who suspect child abuse or domestic violence to report it to the police. Police have the right to request certain information about patients when conducting a criminal investigation. 45 Exceptions….. Certain courts have the rights, in some cases, to order providers to release PHI. Providers must report cases of suspicious deaths or certain injuries, such as gunshot wounds. Providers report information about patients’ deaths to coroners and funeral directors. 46 Reporting Abuses If a patient, a member of the public, or an employee knows that an organization is NOT complying with HIPAA, that person can file a complaint with the Office for Civil Rights (OCR) in the US Department of Health and Human Services. In your role as a student, report any issues related to HIPAA to your FWE first!! 47 Consequences of HIPAA Violations In addition to federal laws, failure to comply with HIPAA also violates Codes of Ethics Standards of Practice Policies & Procedures Potential Consequences of HIPAA Violations Legal consequences Civil or criminal penalties Fines plus imprisonment Professional consequences: Disciplinary action Enforcement 50 Breaking HIPAA privacy or security rules can mean either a civil or a criminal sanction: Knowingly releasing PHI can result in one-year jail sentence and $ 50,000 fine. Gaining access to PHI under false pretenses can result in a five-year jail sentence and a $ 100,000 fine. Releasing PHI with harmful intent or selling the information can lead to a 10-year jail sentence and a $ 250,000 fine. Application of HIPAA to Common Situations Resisting the Need to Share PHI—Honoring the Patient’s Right to Privacy Johnny, an active 4 year old, breaks his arm after falling from a climbing form at his daycare. As the OT caring for him after the removal of the cast, you know that he is HIV positive. Your daughter attends the same daycare. You alert some of the other moms at that center. What’s wrong with this scenario? Who in this setting has a ‘need to know’ the HIV status of this child? Sharing this information with the other parents is a violation of the HIPAA statute--ensuring the child’s/family’s right to privacy and confidentiality. The other parents did not ‘need to know’ this information. Really, nobody has the ‘need to know.’ A good action on your part would be to look into the day care’s first aid policies and help them develop policies that observe universal precautions in the care of all children and staff. This should be done even if you didn’t know that one of the children were HIV positive You see some patient’s data in the trash can. What should you do? A. Remove it and take it to the document shredder. B. Report it to the Agency’s HIPAA officer. C. Call the toll-free number and make an anonymous violation report. D. Report it to your Fieldwork Educator. If you answered “A”… A. Remove it and take it to the document shredder. No, this is not the best response. You will want to protect the PHI better than this. If you answered “B”… B. Report it to the Agency’s HIPAA officer. Well…this is an option, but maybe over-kill at this stage. You should tell your FWE. He/she will make sure that the individual responsible gets further education. If you answered “C”… C. Call the toll-free number and make an anonymous violation report. No, this is not the best response. Unless you are finding consistent HIPAA violations that after reporting are not being corrected, let the agency have the opportunity at re-educating its staff. If you answered “D”… D. Report it to your Fieldwork Educator Yes, this is the best option. You should tell your FWE. She/he will make sure that the individual responsible receives further education. You were able to convince your best friend who is a nurse, to move to Miami and work with you. In the cafeteria, she begins telling you about this handsome guy that was just admitted to her unit after a car accident. She continues to tell you some of the details including that he was driving while intoxicated. What should you do? A. Remind her of HIPAA and tell her that you should not discuss this type of information. B. Ask her how old he is. C. Tell her to get his phone number from the chart. D. Call the agency/network privacy official. E. Report her to her head nurse If you answered “A”… A. Remind her of HIPAA and tell her that you should not discuss this type of information. Yes, this is a good option. Help her recall her responsibilities to the patient’s right to confidentiality and privacy. If you answered “B” or “C”… B. Ask her how old he is. C. Tell her to get his phone number from the chart. Really now!!! I am going to get the Agency’s HIPAA Officer after both of you! If you answered “D”… D. Call the agency/network privacy official. No, this is not the best response. Report to the privacy office when you find consistent HIPAA violations that after reporting are not being corrected. 62 If you answered “E”… E. Report her to her head nurse No, this is not the best response. Unless she is consistently violating a patient’s rights to protect his/her PHI, you will want to help each other. While assisting Mrs. Johnson with her bath, she tells you that she would like to remove her name from the patient data that the volunteers have at the reception desk. Is this a reasonable request? What would you do with this request? A. Not reasonable; this information must be at the info desk for family members and visitors. B. Reasonable; report it to your FWE. C. Not reasonable; help her understand that it is protected by the volunteers. D. Reasonable; call the volunteer office and have her removed from the list. If you answered “A”… A. Not reasonable; this information must be at the info desk for family members and visitors. Incorrect, this is a reasonable request. Recall that HIPAA gives patients the right to direct use and disclosure of their PHI. It is within her rights to have her name removed from the list. Most agencies will have special forms for this. If you answered “B”… B. Reasonable; report it to your FWE. Yes, this is the correct response. Recall that HIPAA gives patients/clients the right to control the use and disclosure of their PHI. It is within her rights to have her name removed from the list. As a student, report it to your FWE. Most facilities have special forms for this type of request and your FWE will guide you through the process. If you answered “C”… C. Not reasonable; help her understand that it is protected by the volunteers. Incorrect. Recall that HIPAA gives patients/clients the right to control the use and disclosure of their PHI. It is within her rights to have her name removed from the list. 67 If you answered “D”… D. Reasonable; call the volunteer office and have her removed from the list. Correct, BUT report it to your FWE first and let the right person take care of the details. Most agencies will have special forms for this. The best response is ‘B’. You are caring for Mr. Sanchez. His physician has called in several consultants to assist with his care. One of the physicians, Dr Han, a neurologist, calls to get some information about Mr. Sanchez. Can you release information to her? A. No, she is going to have to come in to be identified. B. Her request would need to be forwarded to Administration. C. No, she should be instructed to contact Mr. Sanchez’ primary physician. D. After obtaining sufficient info to know that it is Dr. Han, you can share the requested information If you answered “A”, “B’, or “C”… Incorrect. After instituting reasonable safeguards that it is Dr. Han, you should give her the information that she requests. Recall that PHI can be shared with other caregivers for TPO (treatment, payment, & agency operation) without getting additional approval from the patient. If you answered “D”… D. After obtaining sufficient info to know that it is Dr. Han, you can share the requested information Yes, this is the correct response. It is not a violation of HIPAA if you institute reasonable assurances to protect the security of the patient information and then disclose to another person who has a ‘need to know.’ Recall that PHI can be shared with other caregivers for TPO (treatment, payment, & agency operation) without getting additional approval from the patient. Case Scenario A Mr. Olsen, a patient in a facility, has had an adverse reaction to his medication. The nurse tries several times to reach the patient’s physician for instructions, with no success. Finally, she reaches the club where the physician is attending a social event. She asks the receptionist to tell the physician that Mr. Olsen has had an adverse reaction to his medication, and she urgently needs a call back. What should the nurse have done differently? 72 Answer 73 Leaving a message with someone other than the physician that provides any identifying details about the patient or his condition is a breach of confidentiality. If the person receiving the message knows Mr. Olsen, the information about his presence at the facility and his condition could lead to speculation about the patient. The nurse should have simply requested an immediate call back from the physician about an urgent patient matter. Case Scenario B 74 Susan is a nurse in the ER of a city hospital, and she has just heard through the grapevine that a fellow nurse is pregnant. The other staff members would like to give this nurse a baby shower, but nobody knows when the baby is due or whether it is a boy or girl. Susan has access to the records and could easily find the answers to both questions. Should Susan try to get the information? Answer 75 Absolutely not. This is clearly an unauthorized use of medical information. Remember that you must never look at the records of patients you are not treating. Summary HIPAA requires organizations to have policies and procedures in place that: 76 dictate how employees can use PHI when they can disclose it and, how they should dispose of it Final Exam Instructions: 1. Write your name on a piece of paper. 2. Write the numbers 1-10 and answer the following questions. 3. You must earn at least an 80%. 4. Bring the answer sheet to Dr. Abdel-Moty’s office. 77 1.Which area is not addressed by HIPAA? a. b. c. d. 78 Insurance portability Hospital accreditation Fraud enforcement Administrative simplification 2. What are the two kinds of sanctions under HIPAA? a. b. c. d. 79 Egregious and inadvertent Criminal and civil Warranted and unwarranted Security and privacy 3. Which organization has been charged with enforcing HIPAA’s privacy regulation? a. b. c. d. 80 The Joint Commission on Accreditation of Healthcare Organizations The Office for Civil Rights The Centers for Medicare and Medicaid Services The Federal Bureau of Investigation 4. What kind of personally identifiable health information is protected by HIPAA’s privacy rule? a. b. c. d. 81 Written Electronic Spoken All of the above 5. Which of the following are common features designed to protect confidentiality of health information contained in patients’ medical records? a. b. c. d. 82 Locks on medical records room Passwords to access computerized records Rules that prohibit employees from looking at records unless they have a need to know All of the above 6. Confidentiality protection covers not just a patient’s health information, such as the diagnosis, but also other identifying information such as Social Security number and telephone number. a. True b. False 83 7. Is this an allowable practice under HIPAA? It has been regular practice to leave the records system open and logged on at the nurses’ station computer at the end of a shift. This saves time during shift changes for the staff who need to retrieve records. a. b. 84 True False 8. What could have been done differently to protect this patient’s privacy? Mr. Rivera is a patient in the waiting room. He is the only male in the room. His physician is discussing his condition- testicular cancer- with a nurse, and everyone in the waiting room can hear the conversation. a. nothing, this is not a violation of HIPAA b. the physician should have tried to find a private room or area where details could not be overheard c. the physician should have not discussed the case with the nurse 85 9. What should you do? You are about to leave your work at the hospital, and a physician asked you to fax her patient’s OT evaluation findings to her office fax. The findings are ready, but it is after hours, and none of the physician’s staff are available to receive the fax. a. b. c. 86 Fax it, the physician has the right to know the information. Call the physician’s office, leave the patient’s name or other identifying information on the message, so that they call you back. Don’t send the fax to an unattended machine unless you have been assured that it is in a locked room or has a locked cover 10. What should you do? You are an OT student doing your FW experience at a hospital. An individual comes to the OT area and tells you that he is there to work on the computers. He wants your password to log on to the electronic medical record system. a. b. c. d. 87 Give your password to him Inform your FWE ask the man who at the organization contacted him take him to the person who contacted him