Ensign Services, Inc. HIPAA Privacy and Security Operational Guide This guide has been created for Ensign-affiliated facilities and entities to serve as an overview of the daily operating policies and procedures with regard to maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA). This operational guide is intended to represent a simplified version of the company’s detailed policies and procedures and is to be used by workforce members and management as a quick reference to answer many of the daily questions that arise concerning HIPAA. The HIPAA Privacy Rule creates national standards to protect a patient’s or resident’s medical record and other personal health information. As healthcare providers we use and disclose sensitive individually identifiable information daily and it is our duty to protect that information. It is important we understand a few important concepts related to our handling of patient or resident information in order to protect their privacy rights afforded under the HIPAA privacy rule. An understanding of these concepts will also serve in implementation of policies and procedures. Protected Health Information (PHI) is defined as individually identifiable health information that is transmitted or maintained by a facility/entity in any form or medium. Individually Identifiable Information is defined as a subset of health information including demographic information collected from a patient or resident and is created or received by us and relates to the past, present, or future physical or mental health or condition of a patient or resident and can be used to identify the patient or resident. What Information Is Protected? - Information doctors, nurses, therapists, consultants, and other health care providers document in the medical record; both on paper and electronically - Conversations about patient or resident care with others - Billing and financial information - Contact information including email address - Photographs - Most other health information that includes individually identifiable information It is best to assume every piece of information is protected and to inquire as to whether or not it can be used or disclosed for your intended purpose. When in doubt, please ask.
16
Embed
HIPAA Privacy and Security Operational Guide Services, Inc. HIPAA Privacy and Security Operational Guide This guide has been created for Ensign-affiliated facilities and entities to
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Ensign Services, Inc.
HIPAA Privacy and Security Operational Guide
This guide has been created for Ensign-affiliated facilities and entities to serve as an overview of
the daily operating policies and procedures with regard to maintaining compliance with the
Health Insurance Portability and Accountability Act (HIPAA).
This operational guide is intended to represent a simplified version of the company’s detailed
policies and procedures and is to be used by workforce members and management as a quick
reference to answer many of the daily questions that arise concerning HIPAA.
The HIPAA Privacy Rule creates national standards to protect a patient’s or resident’s medical
record and other personal health information. As healthcare providers we use and disclose
sensitive individually identifiable information daily and it is our duty to protect that information.
It is important we understand a few important concepts related to our handling of patient or
resident information in order to protect their privacy rights afforded under the HIPAA privacy
rule. An understanding of these concepts will also serve in implementation of policies and
procedures.
Protected Health Information (PHI) is defined as individually identifiable health information
that is transmitted or maintained by a facility/entity in any form or medium.
Individually Identifiable Information is defined as a subset of health information including
demographic information collected from a patient or resident and is created or received by us and
relates to the past, present, or future physical or mental health or condition of a patient or
resident and can be used to identify the patient or resident.
What Information Is Protected?
- Information doctors, nurses, therapists, consultants, and other health care providers
document in the medical record; both on paper and electronically
- Conversations about patient or resident care with others
- Billing and financial information
- Contact information including email address
- Photographs
- Most other health information that includes individually identifiable information
It is best to assume every piece of information is protected and to inquire as to whether or
not it can be used or disclosed for your intended purpose. When in doubt, please ask.
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
USING PATIENT/RESIDENT INFORMATION
When we USE PHI we share, utilize, examine, and analyze information that remains WITHIN
our facility/entity. Examples of use include;
TREATMENT: discussing patient or resident care with physicians, during care conferences,
with nurses/therapists
PAYMENT: billing for services provided, collecting payment, verifying benefits
HEALTHCARE OPERATIONS: collecting data for quality improvement activities,
monitoring, and training activities.
These are all permissible (allowed) uses of a patient’s or resident’s health information.
Are we allowed to include patient/resident information in facility directories and post their
name on the door of their room?
Patients and residents receiving care in a SNF or ALF should be afforded the right to determine;
Whether or not their name is posted outside their room
If their information is shared with family and friends and identify those we may share
information (also applies to hospice and home health)
Whether or not callers may be given information
Whether or not clergy may be given information
At admission, ask the patient or resident to complete the Communication Method Request form
as part of the Notice of Privacy Practices.
Ensure staff are knowledgeable of the patient’s or resident’s preferred methods for
communication.
The following situations are NOT permitted when using PHI:
- Discussing patient or resident care in open, public areas or with others that should not
have the information
- Sharing more information than necessary to provide treatment or bill for services
- Accessing or copying records without a specific treatment, payment, or operational
purpose
What can you do to protect information while using it to care for our patients and
residents?
Limit information to the minimum necessary to accomplish the intended purpose of the
use
Discuss patient and resident care in private areas – when a private area is not available
lower voice and be aware of those that may overhear
When discussing care with the patient or resident in a shared room ask the patient or
resident if they object to the discussion - find a private location if an objection is
expressed
Secure documents from public view
Access only those records/documents needed to accomplish the task of providing
treatment, billing for services, or other operational functions
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
DISCLOSING PATIENT/RESIDENT INORMATION
We also DISCLOSE protected health information for treatment and payment purposes.
Disclosure is the release, transfer, provision of access to, or divulging of PHI OUTSIDE the
facility/entity in order for others to provide treatment or bill for services. These disclosures are
permitted under the HIPAA rule and include; sending records with the patient or resident to the
hospital or to an appointment, faxing PHI to a physician, and transmitting claims for payment.
When disclosing PHI we must follow the Minimum Necessary standard. This standard is
defined as making reasonable efforts to limit the use or disclosure of, and requests for, protected
health information to the minimum necessary to accomplish the intended purpose.
Using or disclosing an entire medical record is not justified unless releasing it is reasonably
necessary to accomplish the purpose of the use or disclosure. An example of reasonably
necessary would be to release the entire record pursuant to a subpoena.
How do we account for these disclosures?
Use the Accounting of Disclosure log to document all disclosures of protected health information
except those for;
- For treatment, payment, and healthcare operations
- To the patient/resident (or personal representative)
- Pursuant to the patient’s/resident’s authorization
- For the facility/entity directory
- To persons involved in the patient’s/resident’s care
- For national security or intelligence purposes
- To correctional institutions or in law enforcement custodial situations
When does Minimum Necessary NOT apply?
You may disclose required PHI;
To healthcare providers for treatment purposes
To the patient or resident
Pursuant to a valid authorization
To the Secretary of the Department of Health and Human Services (DHHS)
As required by law
There are times when, with good intention, we inadvertently disclose information to the wrong
person. Examples of inadvertent disclosures to other HIPAA covered parties include;
Faxing PHI to the wrong physician
Sending one patient’s or resident’s PHI with another patient or resident to the hospital or
to an appointment
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
What do we do when these inadvertent disclosures occur?
Notify Privacy Officer or contact the Compliance Hotline
Secure the PHI by contacting the person/entity to which the PHI was faxed or sent and
inform them of the mistake
Notify the patient or resident, typically by writing and delivering a letter of apology
assuring them the PHI was secured and procedures were implemented to prevent another
mistake
When is a disclosure NOT permitted?
Ø Sharing information with family and/or friends
Ø Posting any patient and resident information, including photographs, on social media
sites
Ø Sending PHI to others that do not have authorization to receive that information
Ø Removing PHI from the facility/entity without it being secure and for a specific