HIPAA Privacy Education Updated July 2016
HIPAA Privacy Education
Updated July 2016
Course Objectives
Mountain States Health Alliance | Bringing Loving Care to Health Care
This computer-based learning course covers HIPAA,
HITECH, and MSHA Privacy and Security Program.
Acronyms and Terms
HIPAA and HITECH Overview
Requirements of the Law
The concept of protected health information (PHI)
Permitted and Prohibited uses and disclosures of PHI
MSHA Policies & Procedures
MSHA Team Member Responsibilities
HIPAA applied to real-life situations
Definitions and Terms
Mountain States Health Alliance | Bringing Loving Care to Health Care
ARRA: American Recovery and Reinvestment Act, commonly referred to as the Stimulus or The Recovery Act.
Breach: Improper access, use, or disclosure of Protected Health Information.
Business Associate (BA): A person or company that accesses PHI because of its relationship with a covered entity. The HIPAA responsibilities of the BA are outlined in a business associate agreement between the BA and the covered entity. A company that types/transcribes medical reports for a hospital or physician office is one example.
Covered Entity (CE): Health plan, Health care clearinghouses, and Health care providers who conduct certain financial and administrative transactions electronically. MSHA is a covered entity.
Definitions and Terms
Mountain States Health Alliance | Bringing Loving Care to Health Care
De-identified information: PHI which has been sufficiently “stripped” of identifying information (such as name, age, sex, medical record and account number, social security number, etc.) so that the person to who it belongs can no longer be identified.
Disclosure: The release, transfer, provision of access to, or divulging in any manner of information outside the entity who holds the information.
DHHS: Department of Health and Human Services HIPAA: Health Insurance Portability and Accountability Act. HITECH: Health Information Technology for Economic and
Clinical Health Act a 2009 provision of the American Reinvestment and Recovery Act (ARRA).
Definitions and Terms
Mountain States Health Alliance | Bringing Loving Care to Health Care
Minimum necessary: Use, access, and disclosure of PHI by a covered entity or business associate are limited to the minimum amount of information necessary to accomplish the required task.
Office of Civil Rights (OCR): Entity of DHHS responsible for enforcing the HIPAA privacy and security rules.
Privacy officer: Designated individual by a covered entity to oversee HIPAA Privacy Regulation compliance.
Protected Health Information (PHI): Individually identifiable health information in any form, oral and recorded, that relates to past, present, or future physical or mental health or condition of an individual, including demographic information.
Test Your Knowledge
Mountain States Health Alliance | Bringing Loving Care to Health Care
Identify which of the following are true: A. MSHA facilities are considered covered entities under HIPAA and therefore must comply with HIPAA. B. PHI is individually identifiable health information in any form but does not include demographic information. C. Removing all identifying information so the person the
information belongs to can no longer be identified is considered de-identifying information.
D. Minimum necessary is limiting the amount of information used, accessed, and/or disclosed to the minimum amount necessary to accomplish the required task. E. All of the above. F. A, C, and D.
Test Your Knowledge - Answer
Identify which of the following are true: A. MSHA facilities are considered covered entities under HIPAA and therefore must comply with HIPAA. B. PHI is individually identifiable health information in any form but does not include demographic information. C. Removing all identifying information so the person the information belongs to can no longer be identified is considered de-identifying information. D. Minimum necessary is limiting the amount of information used, accessed, and/or disclosed to the minimum amount necessary to accomplish the required task. E. All of the above. F. A, C, and D.
Answer: F
Privacy Laws and Regulations
Mountain States Health Alliance | Bringing Loving Care to Health Care
There are many federal and state laws regarding
Privacy of patient information. One such federal law is
the Health Insurance Portability & Accountability Act of
1996 (HIPAA).
HIPAA sets forth regulations or improved efficiency in
healthcare delivery by patient information; requiring
health identifiers; and creating Privacy standards.
HIPAA brought about two rules:
Privacy Rule – compliance date of April 2003
Security Rule – compliance date of April 2005
What are ARRA and HITECH?
Mountain States Health Alliance | Bringing Loving Care to Health Care
American Recovery and Reinvestment Act(ARRA),
Public Law 111-5 is an economic stimulus package
which was signed into law on February 17, 2009.
Health Information Technology for Economic and
Clinical Health (HITECH) Act is the part the of ARRA
law that deals with many of the health information
communication and technology provisions including
Subpart D – Privacy.
Enforcement of HIPAA
Mountain States Health Alliance | Bringing Loving Care to Health Care
The Department of Health and Human Services (DHHS) is
a department of the federal government that has overall
responsibility for implementing and enforcing HIPAA.
Office of Civil Rights (OCR) is responsible for implementing
and enforcing the Privacy and Security Rules.
MSHA Corporate Audit and Compliance Services
department is responsible for monitoring and assessing
MSHA compliance with HIPAA.
Potential Penalties: Civil
Criminal
Federal lawsuit
Loss of professional license
Employer corrective action including termination
Criminal Liability
Mountain States Health Alliance | Bringing Loving Care to Health Care
§13409 of the American Recovery and Reinvestment Act: Clarified that employees of covered entities may be held
criminally liable for obtaining or disclosing individually identifiable health information maintained by covered entities without authorization.
Who? Individuals who "knowingly" obtain or disclose individually
identifiable health information in violation of HIPAA What?
A fine of from $50,000 up to $250,000 and Imprisonment from one year up to ten years
Privacy and Security Rule
Mountain States Health Alliance | Bringing Loving Care to Health Care
The Privacy Rule is intended to protect the privacy of an
individual’s health information; regardless of whether
the information is written, spoken, or stored in a
computer.
The Security Rule provides protection of all health
information that is housed or transmitted electronically.
Privacy Rule
The Privacy Rule describes many ways that MSHA may
use or disclose a patient’s protected health information;
such as: To the Individual; To Others Involved in the Individuals Care
For Treatment, Payment, or Health Care Operations (“TPO”)
When an authorization from the patient is required
Within the Facility Directory
Disclosure of PHI when required by law; For Public Health or
Health Oversight
Law Enforcement Purposes; Research Purposes; For Organ
Donation; For Workers’ Compensation; others
For Disclosures about Victims of Abuse, Neglect, Domestic
Violence
Treatment, Payment and Health Care Operations (TPO)
HIPAA permits use and disclosure of PHI for TPO: Treatment: the provision, coordination or management of care and
services, including the coordination by provider with a third party;
consultation between health care providers; or referral from one
provider to another.
Payment: activities to obtain or provide reimbursement for services;
Billing, claims management, collection activities; Review for medical
necessity; Utilization review, pre-certification and pre-authorization of
services; Disclosure to consumer reporting agencies; others.
Health Care Operations: operating activities such as Conducting
quality improvement activities; Reviewing competence of health care
professionals: Underwriting, premium rating, etc.; Medical review,
legal services, auditing; Business planning/development; others.
Privacy Rule: Permitted Uses and Disclosures
While the Privacy Rules describes many ways that
permit MSHA to use and disclosure patient
information… BEFORE any team member uses or
discloses any patient information… you must refer to
MSHA policy IM-900-019 Release, Use, and Disclosure
of Patient Information for details.
No MSHA team member shall disclose information
without first knowing: To whom they are disclosing the information
Whether the recipient is authorized to receive the information
Whether the requested information is appropriate for the content
and purpose of the request
Whether applicable content of this policy has been addressed in
the process of disclosing the information.
Privacy Rule: Authorizations
Mountain States Health Alliance | Bringing Loving Care to Health Care
There are many reasons that information about a patient
is used within MSHA or disclosed outside of MSHA. Generally, an authorization is not required to use or disclose
patient information to carry out Treatment, Payment, or Health
Care Operations (“TPO”). Other exceptions may apply.
MSHA also discloses patient information as required by law or as
required reporting; which do not require patient authorization.
Examples include: Birth data to the TN Dept of Vital Statistics
Cancer data to the State Tumor Registry
Data to Protective Services Agencies(for victims of crime, abuse, or
neglect)
Many others..
**Refer to MSHA policy IM-900-019 Release, Use and
Disclosure of Patient Information for details.
Privacy Rule: Administrative Requirements
The Privacy Rule contains many other requirements that MSHA, must
comply with such as: Business Associate Contracts: Under certain conditions, MSHA is required to
maintain legal contracts with business partners whose activity may involve the
use or disclosure of individually identifiable health information. MSHA Legal Counsel should be consulted regarding contracts when patient
information is involved.
De-Identification of PHI: Under certain scenarios, information can be used or
disclosed if de-identified. Refer to MSHA policy De-Identification of Protected
Health Information IM-900-006 for details.
Minimum Necessary: When using or disclosing PHI or when requesting PHI, a
reasonable effort must be made to limit the PHI to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or request. Refer to
MSHA policy IM-900-014 Minimum Necessary Use and Disclosure of
Protected Health Information for details.
Notice Of Privacy Practice (NPP)
Notice of Privacy Practices is a requirement of HIPAA and the
NPP describes how MSHA uses, discloses a patient’s
information and how the patient can access information.
The NPP must be: Given to each patient at time of registration
Posted in registration areas
Signed Acknowledgement of receipt must be obtained from the patient
Posted on MSHA website
Access the MSHA NPP by using the link below
https://www.mountainstateshealth.com/notice-privacy-
practices
Patient Rights
HIPAA mandates that patients have certain rights with
their information: A patient has the right to:
Access his/her record.
Request restrictions/confidential communications about the use and
disclosure of their PHI. Restriction for Out-of-Pocket Payments: Patient may restrict disclosure
of protected health information to a health plan when the patient has
paid out-of-pocket in full for the services. Refer to MSHA IM-900-019
Request for Restriction of the Use and/or Disclosure of Patient PHI.
Request to amend specific portions of their record. MSHA may deny the amendment, but must have a procedure available
for the patient to request the amendment. Refer to MSHA policy IM-
900-005 Corrections/Amendments to the Medical Record.
Request a copy of the accounting of disclosures. MSHA is required to keep a history of when and to whom information
was disclosed about a patient for purposes other than treatment,
payment or health care operations. Refer to MSHA policy IM-900-002
Accounting of Disclosures of Protected Health Information.
Privacy and Security Program
Mountain States Health Alliance | Bringing Loving Care to Health Care
Additional HIPAA Administrative Requirements: MSHA must provide education on the policies and procedures.
MSHA avenues for education include: This online TEDS learning
Team Member Orientation
Newsletter articles/email updates
Facility/Departmental sessions
MSHA must designate a Privacy Officer who is responsible for: Receiving complaints
Provide a process to receive complaints
MSHA may not intimidate, threaten, coerce, discriminate against,
or take other retaliatory action against anyone who makes a
complaint.
Team members must promptly report all HIPAA concerns. Review
IM-900-026 Reporting of Potential or Actual Breaches of Patient
Protected Health Information
Privacy and Security Program
Mountain States Health Alliance | Bringing Loving Care to Health Care
MSHA must reasonably safeguard PHI from intentional or
unintentional use or disclosure: Team members must reasonably safeguard PHI to limit incidental
uses or disclosures. Incidental uses/disclosures are considered a
secondary by-product to a permitted use/disclosure prevented; and
are limited in nature.
MSHA must apply disciplinary actions against members who fail to
comply with the privacy policies and procedures.
MSHA Team members needing access to their own or a family
members medical record should contact Medical Records department
per policy IM-900-024 Team Member Access to Their Own or
Family Members Medical Record Protected Health Information
(PHI).
MSHA must implement policies and procedures with respect to PHI
that are designed to comply with the HIPAA Rules. Review MSHA
policy IM-900-018 Privacy and Security Program.
Privacy and Security Program
Handling Work of Someone You Know Team members are expected to maintain the confidentiality of patient
information during and subsequent to employment with MSHA.
Team members may have access to and become knowledgeable about
information of individuals who is known to the team member, such as, current
and previous family members, friends, and co-workers.
Intent of this policy is to provide team members with guidelines of how to
respond to situations to avoid placing the team member in a compromising
position and avoid the appearance of conflict of interest.
Steps for team member to take, when possible: Contact Supervisor/Manager to request the work be re-assigned.
If a Supervisor/Manager is not readily available, the team member may ask, as
appropriate, another co-worker to complete the necessary work.
If no other co-worker is available, and a Supervisor/Manager is not readily
available, the team member should proceed with completing the work to insure
that patient care is not compromised.
The team member should notify a Supervisor/Manager of the occurrence.
Refer to policy IM-900-028 Handling of Work of Someone You Know
Knowledge Check
Identify which of the following are true:
A. If during your normal job duties you encounter information of a patient whom you have a personal family history with you should alert your manager of the situation. B. If in your role as a team member you have access to the computer
system which protected health information is stored in it is ok for you to access your own or an immediate family members medical information using your computer login.
C. When an individual’s role changes from that of a MSHA “team member” to a “patient” or “family member”, the rights of the individual as a patient and the requirements of MSHA as a provider do not change. D. All of the above. E. A and C only.
Knowledge Check - Answer
Identify which of the following are true:
A. If during your normal job duties you encounter information of a patient whom you have a personal family history with you should alert your manager of the situation. B. If in your role as a team member you have access to the computer
system which protected health information is stored in it is ok for you to access your own or an immediate family members medical information using your computer login.
C. When an individual’s role changes from that of a MSHA “team member” to a “patient” or “family member”, the rights of the individual as a patient and the requirements of MSHA as a provider do not change. D. All of the above. E. A and C only. Answer: E. Be knowledgeable of policy IM-900-024 and IM-900-028
HIPAA Knowledge Check
If a team member sees their physician while at work
and they discuss the team members 5 year-old
son’s upcoming physician office appointment and
the physician tells the team member to bring the
most recent lab or x-ray result with them to the
appointment, it is okay for the team member to log-
in with their computer login and print the results to
take to the physician.
Yes or No?
HIPAA Knowledge Check - Answer
If a team member sees their physician while at work
and they discuss the team members 5 year-old son’s
upcoming physician office appointment and the
physician tells the team member to bring the most
recent lab or x-ray result with them to the appointment,
it is okay for the team member to log-in with their
computer login and print the results to take to the
physician.
Answer: No. Refer to Policy ADM-900-019 for the correct procedure
Where is PHI in a Healthcare Organization?
Verbal Conversations
Paper Documents and Reports
Computers and Technology
“Need to Know” Rule
Before looking at Patient Information,
ask yourself, “Do I need to know this to
do my job?” If the answer is Yes, then
access is appropriate. If the answer is No, then
access is NOT appropriate.
HIPAA Knowledge Check
When entering a patient treatment area to
discuss the patient’s medical condition, lab
results, or treatment and the patient has visitors
in the room the caregiver should courteously
ask the visitor(s) to please step out of the room
for a minute.
o True
o False
HIPAA Knowledge Check - Answer
When entering a patient treatment area to
discuss the patient’s medical condition, lab
results, or treatment and the patient has visitors
in the room the caregiver should courteously
ask the visitor(s) to please step out of the room
for a minute.
Answer: True. As caregivers it is our responsibility to be
the patient’s ambassador and ensure the patient has given
us authorization to disclose their PHI with family, friends, and others.
Patient Information Inquiries
It is the practice of MSHA to release information to the
media in the same manner as the release to the general
public; however, all requests for information from the
media must be directed to the Department of Marketing /
Public Relations.
General Public: When a visitor or caller requests
information about a patient, generally only the following
can be provided: Patient Name
Patient Location
Patient Condition
The caller MUST ask for the patient by name
Review policy CM-500-005 Release of Patient Information to the Media.
Patient Information Inquiries
At the time of registration, a patient may request that no
information be released. Review IM-900-021Request for Restriction
of the Use and/or Disclosure of Patient Protected Health Information.
Information about patients under psychiatric care is more
restrictive. Refer to the specific policies for these patients
and contact Medical Records.
In the event of an emergency, policies and professional
judgment may permit information to be disclosed.
In the event of a disaster, existing disaster protocols should
be followed.
Patient may participate in the VIP (Very Important Partner)
program upon admission. Review P&P PC-600-143 Very Important
Partner (VIP) Program.
Law Enforcement Notification and Inquiries
There are several MSHA policies located in Policy Manager which team members should be aware of and comply with.
The General rule of thumb is to contact your manager when you are faced with situations requiring possible reporting or inquiries of law enforcement, state and other agencies.
Below are just a few policy examples: Prisoner - Inmate - Care of the - Law Enforcement Inquiries Reportable Cases to Law Enforcement Agencies Adult Abuse and Neglect - Protection and Reporting Notification of Deaths to the Coroner or Medical Examiner's Office Responding to Request for Patient Information from Law
Enforcement
MSHA Policy and Procedures
Policy IM-900-007 Disposal of Documents Containing
Patient Information addresses proper disposal of PHI. Paper Documents should be shredded.
If an outside shredding service is utilized, it should be the MSHA
approved shredding vendor.
The Materials Management Department of the facility should be
contacted for information about the shredding service.
Magnetic Media should be destructed using bulk
erasure.
CDs/Platters should be pulverized or broken up.
Facility records must be destroyed in a manner that
ensures the confidentiality of the records and renders the PHI no longer recognizable.
Balancing Privacy With Adoption of Technology
Team members whose role may involve training and testing of
computer applications should not access their own PHI or
that of a family member, or someone they know.
Photographs of patients is considered PHI.
Photography includes photographs, still images, videotape recordings,
digital or any other image method.
All patient photographs are the property of MSHA and are to be filed in the
patient’s medical record.
The use of personal equipment including cellular phone cameras to
photograph patients is strictly prohibited.
***Review P&P PCA-600-011 Photography of Patients.
Education regarding social media, and electronic media will be covered in HIPAA Security TEDs learning.
What Can you do?
A Few Ways to protect patient information:
Access, use or disclose patient information only if involved in the care of the patient.
Never share passwords and logoff off or lock computers when away!
Disclose patient information only if you are the right person to disclose it and you are
disclosing it to the right person.
If appropriate to disclose information, disclose only what is needed, minimum
necessary.
BE ALERT to verbal discussions and surroundings. Make other team members aware if
you are hearing conversations that should not be heard.
Provide privacy for patients during discussions; including asking others to leave the
room if necessary.
Be aware of access to patient information such as printouts, computer screens, reports,
etc. Put away patient records when not in use.
Turn documents face down. Do not place patient documents in re-cycle bins, trash
containers... they must be properly shredded!
Be knowledgeable with MSHA policies, procedures and practices relating to patient
information. If unsure… ASK your supervisor.
When leaving messages for patients leave minimal information needed such as your
name and the call back number.
Summary
This course has provided an abbreviated overview of the HIPAA Privacy Rule; and
some of the principles practiced throughout MSHA. There may be other policies and
procedures that you should know. If you have questions, you should contact your
immediate supervisor; or you may contact the MSHA Corporate Audit and
Compliance Services Department.
As a healthcare provider, MSHA creates and maintains personal health information
about patients. Our patients expect that their information will be treated with
respect and confidentiality. This means ALL patient information, whether it is verbal,
written or in any computer system.
It is an expectation and a responsibility of every team member to insure the privacy
and security of patient information and report all concerns.
Under HIPAA and ARRA both the organization and the team members are liable.
Each team member is responsible for ensuring compliance with HIPAA.
Remember the “Need to Know” rule. Only access information that you have a need
to know to do your job.
Violation of MSHA privacy/security policies may result in disciplinary action up to
and including termination.
Who to Contact?
• MSHA Alert line 1-800-535-9057
• Submit an online report using the Patient Safety or Reporting Feedback System
• Talk to your manager
• Privacy Officer
• Donna Coomes @ 423-302-3401
HIPAA Information from CACS
Please close this window and return to TEDS to complete the test for this course.
Almost finished….