Protecting Patient Privacy
Health Insurance Portability and
Accountability Act of 1996
HIPAA
1
Revised 1/6/12
Objectives

2
After completing this program you will be able to:

Discuss the general concepts of HIPAA guidelines

Adapt HIPAA guidelines for the various settings in
which you might practice

Discuss patient/client rights regarding his/her health
information
Objectives
3

Differentiate individuals who have a ‘need to know’ from
those who do not. This determines those with whom
you can discuss protected health information

Discuss application of HIPAA to your role

List legal and professional consequences of violating
HIPAA rule
HIPAA

Health Insurance Portability and
Accountability Act



Federal law passed by Congress in 1996
Regulations promulgated by the Dept of Health and Human
Services
Guidelines implemented in April, 2003
What part do you play in implementing HIPAA?
How does this law affect your role?
4
HIPAA regulations were designed to:



5
Protect individuals’ rights to privacy and
confidentiality and
Assure the security of electronic transfer
of personal information
The first…protecting privacy and
confidentiality rights, is the subject of this
instructional program.
HIPAA applies to us all -- in all settings.
That means at work, at home, on the
bus, as well as the hospitals and clinics.
6
Why HIPAA?

Genetic advancements

7
as more is known about our genetic
predisposition to diseases, HIPAA will ensure
that, for example, an individual is not denied
insurance because the company knows that
she may eventually develop Multiple Sclerosis
Why HIPAA?

Marketing

8
as information is more easily captured
concerning, for example, the prescriptions we
purchase, HIPAA is designed to prevent
marketing of unsolicited products or services
based on harvested marketing data
Why HIPAA?

Technology

9
as information is quickly and sometimes
loosely moved around networks, HIPAA
standards will hold violators accountable for
accidental or intentional ‘interception’ of
protected health information (PHI)
Why HIPAA?

An Atlanta truck driver lost his job after his employer
learned from his insurance company that he had sought
treatment for a drinking problem.

The late tennis star Arthur Ashe’s positive HIV status
was disclosed by a healthcare worker and published by
a newspaper without his permission.

Tammy Wynette’s medical records were sold to National
Enquirer by a hospital employee for $2,610.
10
When and how often do I need to be
certified?

The law requires that we comply with the regulations and
adhere to agency guidelines.

The ‘certificate of completion’ you will receive upon the
completion of this program will be valid for one year.

Each fieldwork (FW) site has their own requirements. It
is your responsibility to know and comply with the HIPAA
requirements of your FW site.
11
What Objectives do the Privacy
Regulations Accomplish for Patients?

Give patients more control over their health information.

Set boundaries on the use and disclosure of health
records.

Establish appropriate safeguards for all people who
participate in or are associated with the provision of
healthcare to ensure that they honor patients’ rights to
privacy of their PHI.
12
What Objectives do the Privacy
Regulations Accomplish for Patients?

Hold violators accountable through civil and
criminal penalties.

Strike a balance when public responsibility
requires disclosure of some forms of data--for
example, to protect public health.
13
With HIPAA we now have new terms and
abbreviations to learn!!

14
Protected Health Information (PHI) or
Protected Medical Information (PMI) - This
is any data about the patient that would
tend to identify the individual
Protected Health Information - (PHI)

Includes demographic information that
identifies an individual and,



15
Is created or received by a health care provider,
health plan, employer, or health care clearinghouse.
Relates to the past, present, or future physical or
mental health or condition of an individual.
Describes the past, present or future payment for the
provision of health care to an individual.
Examples of PHI include:






16
Name
Address
Social Security number
Medical record number
Date of birth
Telephone number





Photos
Fingerprints
Diagnosis
Fax number
Lab results
With HIPAA we now have new terms and
abbreviations to learn!!

17
Privacy Officer (PO) - Each facility will have an
employee who is responsible for implementing
and enforcing this law. Some may have one
over a multi-facility network, others one at each
site. As an occupational therapy student this
individual (after your fieldwork educator) could
be your point of information regarding HIPAA.
New terms and abbreviations

18
Covered Entity (CE) - This includes any
health plan, healthcare provider, agency
that processes claims, and any company
that subcontracts with them are covered
by this law.
New terms and abbreviations
 Release/Disclosure
- These are terms
used in describing the release of PHI to
other CEs for TPO, treatment, payment, or
health care operations.
 Accounting
of Disclosure (AOD) - The
patient has the right to have an AOD for his
PHI or PMI.
19
New terms and abbreviations
-This is CE’s census or list of
patients used by volunteers and operators
to direct visitors.
 Directory
Different agencies may have other terms they use
to communicate HIPAA policies. You will need
to keep alert to these instances to comply with
the spirit of the law.
20
New terms and abbreviations

21
Business Associate (BA): A person
(vendor) who performs or assists a provider
or health plan in the performance of:

A function or activity involving the use or
disclosure of PHI, or

Any other function or activity regulated by the
HIPAA Privacy Rule
Business Associates

Examples of business associates:





22
Transcription services
Physicians
Utilization review contractors
Device manufacturers
Accreditation organizations
Who is not a business associate

Most delivery services

The long distance telephone supplier

Housekeeping services
23
The next few slides will present the basic
principles of HIPAA as it applies to the student
role:
•
The seven rights in the HIPAA privacy guidelines
•
Using equipment--computers, printers, fax, and
similar machines to transmit patient data
•
Identifying patients/clients PHI in school papers
24
The next few slides will present the basic
principles of HIPAA as it applies to the student
role:
•
Discarding or destroying papers containing
patient PHI
•
Communicating privacy questions/concerns in
the agency
•
Describing the consequences of violating HIPAA
guidelines
25
Seven Patient Rights Regarding Privacy of
PHI (Protected Health Information)
Individuals have the right to:
1. Receive notice of an agency’s privacy
practices.
2. Know that an agency will use its PHI
ONLY for treatment, payment, operations
(TPO), certain other permitted uses and
uses as required by law.
26
Seven Patient Rights Regarding Privacy
of PHI (Protected Health Information)
3.
Consent to and control the use and
disclosure of their PHI.
4.
Access their protected health information
(PHI), except for psychotherapy notes
(they might be charged for copies)
27
Seven Patient Rights Regarding Privacy
of PHI (Protected Health Information)
5. Request amendment or addendum to
their PHI (not always granted)
6. Receive accountings of disclosures
7. File privacy complaints to agency officer
28
HIPAA Restricts Sharing PHI
Personal information cannot be released to individuals or
companies interested in marketing ventures, without the
patient’s written permission. For example:



29
Names of patients on antihypertensive drugs cannot
be released to a company marketing nutritional
products to lower blood pressure.
Names and addresses of pregnant women cannot be
provided to infant formula companies.
Contact information of previous patients cannot be
used to raise money for a hospital building campaign.
How do we assure patients’
rights to privacy and
confidentiality?
30
Who has Access to PHI?
The ‘Need-to-Know’ Principle
PHI should be shared with as few individuals as
needed to ensure patient care and then only to
the extent demanded by the individual’s role.
For example, the nursing assistant ‘needs to know’
only the facts concerning the patient’s current
admission.
31
Protecting your patient’s PHI

Take all reasonable steps to make sure that
individuals without the ‘need to know’ do not
overhear conversations about PHI.

DO NOT conduct discussion about PHI in
elevators or cafeterias.

Do not let others see your computer screen
while you are working. Be sure to log out when
done with any computer file.
Protecting your patient’s PHI
When preparing care plans or other course required
documents take extra care to:
• not identify the patient/client. Do not use initials.
• use other demographic data only to the extent necessary
to identify the patient and his/her needs to the instructor.
• protect the computer screen, PDA, clip board, or notes
from other individuals who don’t have a ‘need to know’
• protect your printer output from others who do not have a
‘need to know’
• protect your portable drive/CD-ROM/PDA from loss
• consider using the FW site’s network to save your
documents, if available
Protecting your patients’ PHI
In your role, you are NOT to photoduplicate
or fax a patient’s documents in the process
of working with your patient’s PHI. As an
intern of the clinical site you must use the
site’s security procedures to transmit PHI.
34
Ways to Protect Confidentiality

35
Minimum necessary standard:

Health care provided must make a reasonable
effort to disclose or use the minimum necessary
amount of protected health information( PHI).

Clinical staff are allowed to look at patient’s entire
record and share information freely with other
clinicians.

Do not pass-on any PHI.
Ways to Protect Patient Privacy

Close patient room doors when discussing
treatments and administering procedures.

Close curtains and speak softly in semi-private
rooms when discussing treatments and
administering procedures.

Avoid discussions about patients in elevators
and cafeteria lines.
36
Ways To Protect………..

Do not leave messages regarding patient
conditions or test results on answering
machines or with anyone, other than the
patient.

Avoid paging patients using information
that could reveal their health issues.
37
Maintaining Records

Do not leave it unattended in an area where others can
see it.

When finished using PHI return it to its appropriate
location.

When finished looking at electronic PHI log off the system.

Do not leave information visible on an unattended
computer monitor.
38
Maintaining Records…..

When discarding paper PHI make sure the
information is shredded in a secure bin.

Leaving paper patient information intact in
a wastebasket could lead to a privacy
breach.
39
Destroying PHI/PMI
DO NOT put notes with PHI/PMI in the trash
or paper recycle cans.
A paper shredder is available for these
materials. Ask your FEW about its
location.
Helpful Hints to use When
Working With Computers

Review your organization’s policies on using
computers

Do not use work e-mail for personal messages

Never share or open attached files from an
unknown source
41
Helpful Hints…..

Never send confidential PHI in an e-mail unless
your facility has a policy that allows it and
mechanisms in place to protect the information

Always double-check the address line of an email before you send it

Never share your password or log on to the
system under someone else’s password
42
Helpful Hints….

Always keep computer screens pointing
away from the public

Never remove computer equipment, disks,
or software from the facility unless you
have permission
43
Exceptions to the Rule

Laws that require providers to report certain
communicable diseases to state health agencies
when patients have these diseases, even if the
patient does not want the information reported.

The Food and Drug Administration requires
providers to report certain information about
medical devices that break or malfunction.
44
Exceptions .…..

Some states require physicians and other
caregivers who suspect child abuse or
domestic violence to report it to the police.

Police have the right to request certain
information about patients when
conducting a criminal investigation.
45
Exceptions…..

Certain courts have the rights, in some cases, to
order providers to release PHI.

Providers must report cases of suspicious deaths
or certain injuries, such as gunshot wounds.

Providers report information about patients’ deaths
to coroners and funeral directors.
46
Reporting Abuses

If a patient, a member of the public, or an
employee knows that an organization is NOT
complying with HIPAA, that person can file a
complaint with the Office for Civil Rights (OCR)
in the US Department of Health and Human
Services.

In your role as a student, report any issues
related to HIPAA to your FWE first!!
47
Consequences of HIPAA Violations
In addition to federal laws, failure to comply
with HIPAA also violates
 Codes of Ethics

Standards of Practice

Policies & Procedures
Potential Consequences of
HIPAA Violations
Legal consequences
 Civil or criminal penalties
 Fines plus imprisonment
Professional consequences:
 Disciplinary action
Enforcement

50
Breaking HIPAA privacy or security rules can mean either a
civil or a criminal sanction:

Knowingly releasing PHI can result in one-year jail
sentence and $ 50,000 fine.

Gaining access to PHI under false pretenses can result
in a five-year jail sentence and a $ 100,000 fine.

Releasing PHI with harmful intent or selling the
information can lead to a 10-year jail sentence and a
$ 250,000 fine.
Application of HIPAA to
Common Situations
Resisting the Need to Share PHI—Honoring the
Patient’s Right to Privacy
Johnny, an active 4 year old, breaks his arm
after falling from a climbing form at his daycare.
As the OT caring for him after the removal of the
cast, you know that he is HIV positive. Your
daughter attends the same daycare. You alert
some of the other moms at that center.
What’s wrong with this scenario?
Who in this setting has a ‘need to know’ the HIV
status of this child?
Sharing this information with the other parents is a violation
of the HIPAA statute--ensuring the child’s/family’s right to
privacy and confidentiality.
The other parents did not ‘need to know’ this information.
Really, nobody has the ‘need to know.’
A good action on your part would be to look into the day
care’s first aid policies and help them develop policies that
observe universal precautions in the care of all children and
staff. This should be done even if you didn’t know that one
of the children were HIV positive
You see some patient’s data in the trash can.
What should you do?
A. Remove it and take it to the document shredder.
B. Report it to the Agency’s HIPAA officer.
C. Call the toll-free number and make an anonymous
violation report.
D. Report it to your Fieldwork Educator.
If you answered “A”…
A. Remove it and take it to the document shredder.
No, this is not the best response. You will want to
protect the PHI better than this.
If you answered “B”…
B. Report it to the Agency’s HIPAA officer.
Well…this is an option, but maybe over-kill at this stage.
You should tell your FWE. He/she will make sure that the
individual responsible gets further education.
If you answered “C”…
C. Call the toll-free number and make an
anonymous violation report.
No, this is not the best response. Unless you are finding
consistent HIPAA violations that after reporting are not being
corrected, let the agency have the opportunity at re-educating
its staff.
If you answered “D”…
D. Report it to your Fieldwork Educator
Yes, this is the best option. You should tell your FWE.
She/he will make sure that the individual responsible
receives further education.
You were able to convince your best friend who is a
nurse, to move to Miami and work with you. In the
cafeteria, she begins telling you about this handsome
guy that was just admitted to her unit after a car
accident. She continues to tell you some of the details
including that he was driving while intoxicated. What
should you do?
A. Remind her of HIPAA and tell her that you should
not discuss this type of information.
B. Ask her how old he is.
C. Tell her to get his phone number from the chart.
D. Call the agency/network privacy official.
E. Report her to her head nurse
If you answered “A”…
A. Remind her of HIPAA and tell her that you should
not discuss this type of information.
Yes, this is a good option. Help her recall her
responsibilities to the patient’s right to confidentiality and
privacy.
If you answered “B” or “C”…
B. Ask her how old he is.
C. Tell her to get his phone number from the chart.
Really now!!! I am going to get the Agency’s HIPAA
Officer after both of you!
If you answered “D”…
D. Call the agency/network privacy official.
No, this is not the best response. Report to the
privacy office when you find consistent HIPAA
violations that after reporting are not being corrected.
62
If you answered “E”…
E. Report her to her head nurse
No, this is not the best response. Unless she is
consistently violating a patient’s rights to protect his/her
PHI, you will want to help each other.
While assisting Mrs. Johnson with her bath, she tells
you that she would like to remove her name from the
patient data that the volunteers have at the reception
desk.
Is this a reasonable request? What would you do with
this request?
A. Not reasonable; this information must be at the info desk
for family members and visitors.
B. Reasonable; report it to your FWE.
C. Not reasonable; help her understand that it is protected
by the volunteers.
D. Reasonable; call the volunteer office and have her
removed from the list.
If you answered “A”…
A. Not reasonable; this information must be at the
info desk for family members and visitors.
Incorrect, this is a reasonable request. Recall that
HIPAA gives patients the right to direct use and
disclosure of their PHI. It is within her rights to have her
name removed from the list. Most agencies will have
special forms for this.
If you answered “B”…
B. Reasonable; report it to your FWE.
Yes, this is the correct response. Recall that HIPAA
gives patients/clients the right to control the use and
disclosure of their PHI. It is within her rights to have
her name removed from the list.
As a student, report it to your FWE. Most facilities
have special forms for this type of request and your
FWE will guide you through the process.
If you answered “C”…
C. Not reasonable; help her understand that it is protected
by the volunteers.
Incorrect. Recall that HIPAA gives patients/clients the
right to control the use and disclosure of their PHI. It is
within her rights to have her name removed from the list.
67
If you answered “D”…
D.
Reasonable; call the volunteer office and have her
removed from the list.
Correct, BUT report it to your FWE first and let the
right person take care of the details. Most
agencies will have special forms for this. The best
response is ‘B’.
You are caring for Mr. Sanchez. His physician has called in several
consultants to assist with his care. One of the physicians, Dr Han, a
neurologist, calls to get some information about Mr. Sanchez. Can you
release information to her?
A. No, she is going to have to come in to be identified.
B. Her request would need to be forwarded to
Administration.
C. No, she should be instructed to contact Mr. Sanchez’
primary physician.
D. After obtaining sufficient info to know that it is Dr. Han,
you can share the requested information
If you answered “A”, “B’, or “C”…
Incorrect. After instituting reasonable safeguards that it
is Dr. Han, you should give her the information that she
requests. Recall that PHI can be shared with other
caregivers for TPO (treatment, payment, & agency
operation) without getting additional approval from the
patient.
If you answered “D”…
D. After obtaining sufficient info to know that it is Dr.
Han, you can share the requested information
Yes, this is the correct response. It is not a violation
of HIPAA if you institute reasonable assurances to
protect the security of the patient information and
then disclose to another person who has a ‘need to
know.’ Recall that PHI can be shared with other
caregivers for TPO (treatment, payment, & agency
operation) without getting additional approval from the
patient.
Case Scenario A

Mr. Olsen, a patient in a facility, has had an adverse
reaction to his medication. The nurse tries several times
to reach the patient’s physician for instructions, with no
success. Finally, she reaches the club where the
physician is attending a social event. She asks the
receptionist to tell the physician that Mr. Olsen has had
an adverse reaction to his medication, and she urgently
needs a call back.

What should the nurse have done differently?
72
Answer

73
Leaving a message with someone other than
the physician that provides any identifying
details about the patient or his condition is a
breach of confidentiality. If the person receiving
the message knows Mr. Olsen, the information
about his presence at the facility and his
condition could lead to speculation about the
patient. The nurse should have simply
requested an immediate call back from the
physician about an urgent patient matter.
Case Scenario B


74
Susan is a nurse in the ER of a city hospital, and she
has just heard through the grapevine that a fellow nurse
is pregnant. The other staff members would like to give
this nurse a baby shower, but nobody knows when the
baby is due or whether it is a boy or girl. Susan has
access to the records and could easily find the answers
to both questions.
Should Susan try to get the information?
Answer

75
Absolutely not. This is clearly an
unauthorized use of medical information.
Remember that you must never look at the
records of patients you are not treating.
Summary

HIPAA requires organizations to have
policies and procedures in place that:



76
dictate how employees can use PHI
when they can disclose it
and, how they should dispose of it
Final Exam
Instructions:
1. Write your name on a piece of paper.
2. Write the numbers 1-10 and answer the following
questions.
3. You must earn at least an 80%.
4. Bring the answer sheet to Dr. Abdel-Moty’s office.
77
1.Which area is not addressed by
HIPAA?
a.
b.
c.
d.
78
Insurance portability
Hospital accreditation
Fraud enforcement
Administrative simplification
2. What are the two kinds of
sanctions under HIPAA?
a.
b.
c.
d.
79
Egregious and inadvertent
Criminal and civil
Warranted and unwarranted
Security and privacy
3. Which organization has been charged with
enforcing HIPAA’s privacy regulation?
a.
b.
c.
d.
80
The Joint Commission on Accreditation
of Healthcare Organizations
The Office for Civil Rights
The Centers for Medicare and
Medicaid Services
The Federal Bureau of Investigation
4. What kind of personally identifiable health
information is protected by HIPAA’s privacy rule?
a.
b.
c.
d.
81
Written
Electronic
Spoken
All of the above
5. Which of the following are common features
designed to protect confidentiality of health
information contained in patients’ medical records?
a.
b.
c.
d.
82
Locks on medical records room
Passwords to access computerized
records
Rules that prohibit employees from
looking at records unless they have a
need to know
All of the above
6. Confidentiality protection covers not just a patient’s health information,
such as the diagnosis, but also other identifying information such as Social
Security number and telephone number.
a.
True
b.
False
83
7. Is this an allowable practice under
HIPAA?
It has been regular practice to leave the
records system open and logged on at the
nurses’ station computer at the end of a
shift. This saves time during shift changes
for the staff who need to retrieve records.
a.
b.
84
True
False
8. What could have been done differently to
protect this patient’s privacy?
Mr. Rivera is a patient in the waiting room. He is the only
male in the room. His physician is discussing his
condition- testicular cancer- with a nurse, and everyone
in the waiting room can hear the conversation.
a. nothing, this is not a violation of HIPAA
b. the physician should have tried to find a private
room or area where details could not be overheard
c. the physician should have not discussed the case
with the nurse
85
9. What should you do?
You are about to leave your work at the hospital, and a physician asked you
to fax her patient’s OT evaluation findings to her office fax. The findings are
ready, but it is after hours, and none of the physician’s staff are available to
receive the fax.
a.
b.
c.
86
Fax it, the physician has the right to know the information.
Call the physician’s office, leave the patient’s name or other identifying
information on the message, so that they call you back.
Don’t send the fax to an unattended machine unless you have been
assured that it is in a locked room or has a locked cover
10. What should you do?
You are an OT student doing your FW experience at a
hospital. An individual comes to the OT area and tells
you that he is there to work on the computers. He wants
your password to log on to the electronic medical record
system.
a.
b.
c.
d.
87
Give your password to him
Inform your FWE
ask the man who at the organization contacted him
take him to the person who contacted him