HIPAA NEWS An employee of the Tampa, Florida health department took a computer disk containing the names of 4,000 people who had tested positive for HIV,

HIPAA NEWS

• An employee of the Tampa, Florida health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).

• A laptop computer that contains health and identifying information for more than 1,700 Sacramento HIV-AIDS patients was been stolen in a home burglary. A researcher brought home the computer to finish a report. Feb 2006, AP

• A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).

• Wisconsin ED Nurses were fired for taking patient photos on their cell phone and posted on Facebook (EMS Responder, February 2009)

• More than 13 hospital workers at UCLA Medical Center were fired for snooping through Britney Spears’ confidential hospital records during her famed psych ward admission. In 2005, several workers were fired after they went through her records after she gave birth to son Sean Preston , US Magazine, March 15, 2008.

What is HIPAA?HIPAA is the Health Insurance Portability Accountability Act

• Gives patients more control over their Protected Health Information • Protects the patients PHI from intentional and unintentional misuse and

exposure • Provides for civil and criminal penalties for violators of the Privacy Rule • Establishes a National Standard for handling and disclosure of PHI

Patient Rights

• The patient has the right to be informed of the Providers Privacy Practices.– A copy is provided to the patient. We also have it posted

on our web site• The patient has the right to examine, copy and

request amendments to their PHI. Requests go through our business office

• Control certain uses and disclosures of their PHI.

Notice of Privacy Practices • Our Notice of Privacy Practices (NPP) is attached to the form

that patients sign to acknowledge its receipt. All patients that you come into contact with whether transport or refusals must be presented with a NPP.

• The Privacy Rule excludes this requirement during an emergency but further explains that if the patient has not been presented with a NPP then they must be notified following the incident. Our practice is to make every effort to present the patient with a NPP at time of service and obtain whenever possible a signature from the patient acknowledging that he or she has received this notice.

We keep your PHI private!

Not necessarily!HIPAA does NOT mean that we keep all information private.We keep it private except for circumstances allowed by law.

– Suspected abuse or neglect– Threat to National Security or Public Health– Sharing related to patient care, billing, etc.– Sharing patient information with law enforcement related to a crime,

i.e., GSW– These are just some examples

By signing our form, they are only acknowledging that they have received a copy of our practices. It is also available on our public

web site

Protected Health Information• Patient Care Reports• Pictures

– Posting identifiable pictures on MySpace will get you in trouble! You WILL lose your certification!

• Name, Date of Birth, Social Security Number• Dispatch Records• Insurance Information• Basically, any IDENTIFIABLE Info

Security Rules

• Information on computer screens are PHI. • Protect your passwords. • Log Off Computers when leaving on calls. • Screen Savers should be password protected and should

activate within 5 minutes of inactivity. Do not allow anyone access to your computers or reports that do not require

specific access to perform their duties as outlined in Policies.

Compliance• Reading someone’s report that was left out or left on a

computer screen. • Talking to a co-worker or family member on the phone about

a call and mentioning a name or address or other identifiable fact.

• Reading a report of a friend or someone else you know to check on them or find out what happened.

• Keeping any copy of a report, EKG, notes, photos, etc., that may identify the patient.

THESE ARE ALL EXAMPLES OF VIOLATIONS OF THE HIPAA ACT

Privacy Applies to EveryoneWhat if you come into a room and find

medical records lying on a table?

If you are able to, hand them to the person that left them out

place them in the report box and report to the privacy officer or security officer what you found so the reports will get to the right person

Privacy Applies to EveryoneWhat if you find a computer that is logged on and left

unattended?

Log the computer off and report your actions to the privacy or security officer.

Privacy Applies to EveryoneWhat if you overhear your partner at the hospitaltalking about a patient in a manner that thepatient may be identified?

Remember if you can hear it, someone else can. Remind your coworker of the privacy rules and report it to the privacy or security officer.

Privacy Applies to EveryoneWhat if you arrive at the hospital and see a patient you know?

You may certainly approach them and offer your concern if appropriate at that time

You cannot ask them what their problem or injury is. They may offer it – but you cannot ask. You are a healthcare professional and are not entitled to PHI unless you are required to have it to perform your job.

What about hospital reports?• You must give a hospital report to the nurse or doctor that is

assuming patient care.• You may relay any information concerning HX, DX,TX or billing

information that you feel is necessary to continue good patient care.

• You should take care not to give this report in the presence of another patient.

• If a family member is present you may direct them to the waiting room

• Do not delay a patient report to clear a room; Use good judgment to assure that you do not unnecessarily reveal PHI to persons that are not entitled to it

Reporting Violations

• Any violation should be reported to the privacy or security officer

• You will not suffer disciplinary action nor will retaliation be allowed in any way for reporting violations.

Criminal LiabilitiesFederal Criminal Penalties• Up to $50,000 and 1 year in prison for obtaining or disclosing

protected information• Up to $100,000 and up to 5 years in prison for obtaining or

disclosing protected information under false pretenses• Up to $250,000 and up to 10 years in prison for obtaining or

disclosing protected information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm

Procedures• Log off computers when not in use or attended• Protect and prevent any access to your paperwork

– before during and after preparing your PCR’s• Place all completed PCR’s into mailbox when you are finished

preparing reports• Destroy all notes and paperwork that is PHI that will not be

attached to your PCR’s. Shred it! • Provide every patient a copy of our NPP and document

anytime that you cannot obtain a signature acknowledging receipt of NPP and why.

• Use caution where oral PHI is required

Why HIPAA Privacy Regulations ExistThe underlying purpose behind the administrative simplification portion of HIPAA is to establish common standards across the healthcare system to streamline the paperwork and administration associated with health care. In establishing these

common standards, Congress quickly recognized the need to protect patient information, and so to that end, HIPAA establishes a number of new (and in some

instances more stringent) regulations regarding the protection of patient information.

A lot of People Have Access to Your Health Information

Imagine you were admitted to the hospital for a minor procedure. After three days and two nights you are discharged. During that time, how many people had

access to your health records? Ten? Twenty? Fifty?

According to the American Health Information Management Association, an average of 150 people will have access to your private health information.

HIPAA ensures that those who have access to your health information are authorized and they will use it appropriately.

How HIPAA Changes ThingsImagine having to learn a different set of driving laws every time you crossed state lines, or the car you drive operates totally differently from a car in another state. Getting from Point A to Point B would be very difficult. HIPAA regulations standardize the "driving laws" regarding health information.

Other HIPAA regulations set standards for the protection, release, and use of health information. These are the Privacy regulations. The chart below summarizes some of these changes.

Before HIPAAAfter HIPAA

Privacy procedures regarding a person’s health information were often inconsistent from state to state.

Basic privacy expectations are now standard across the board; everyone will protect health information to comply with certain federal minimum standards.

Security procedures regarding how to protect health information were inconsistent.

Standardized security procedures will be required in the future.

Lack of standard data formats made sharing health information cumbersome and inefficient.

Streamlined, more efficient systems for sharing electronic health information.

Communication was difficult.

Improved communication and enhanced consumer service, for example, the coordination of health care benefits, will be easier.

What can I do?

You may be asking yourself, "What can I do to safeguard PHI?“Consider the following procedures and practices:• Change your computer password regularly. • Do not leave PHI on a computer screen. • Do not log on to a computer and then allow others access via

your password. • If it is appropriate to destroy records containing PHI, be sure

to shred it completely.

Questions?