HIPAA Job Specific Education 1 HIPAA Privacy Keys to Success Education for Students Updated February 2010
Feb 25, 2016
HIPAA Job Specific Education 1
HIPAA PrivacyKeys to Success
Education for StudentsUpdated February 2010
HIPAA Job Specific Education 2
HIPAA and Its PurposeWhat is HIPAA?
Health Insurance Portability and Accountability Act of 1996
Title II – Administrative Simplification
It’s a federal law HIPAA is
mandatory, penalties for failure to comply
Purpose: Protect health insurance
coverage, improve access to healthcare
Reduce fraud and abuse Improve quality of
healthcare in general Reduce healthcare
administrative costs (electronic transactions)
HIPAA Job Specific Education 3
HITECH and Its PurposeWhat is HITECH?
Health Information Technology for Economic and Clinical Health Act
Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)
It’s a federal law
Purpose: Makes massive changes to privacy and security laws Applies to covered entities and business associates Creates a nationwide electronic health record Increases penalties for privacy and security violations
HIPAA Job Specific Education 4
Civil Penalties for Non-compliance*
Violation Category Each Violation All such violations of an identical provision in a calendar year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 – $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000
*As of 2/17/09
HIPAA Job Specific Education 5
Criminal Penalties for Non-compliance
• These penalties can apply to any “person” , including students.
• The penalties are higher for actions designed to generate monetary gain up to $50,000 and one year in prison for obtaining or disclosing
protected health information up to $100,000 and up to five years in prison for obtaining
protected health information under "false pretenses"
up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
HIPAA Job Specific Education 6
Facility Privacy Official• The name of the facility’s FPO is Debra
Hasling.• The FPO is Responsible for:
– Privacy Program– Privacy Rights of patients– Requests for Privacy Restrictions– Facilitating the training and education of staff
HIPAA Job Specific Education 7
HIPAA Terminology• HIPAA: Health Insurance Portability and Accountability Act• HITECH: Health Information Technology for Economic and
Clinical Health Act• PHI: Protected Health Information• CE: Covered Entity (Hospital)• ACE: Affiliated Covered Entity (Common ownership)
OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement)
• DRS: Designated Record Set (medical record and billing record)
• AOD: Accounting of Disclosures (patient’s right to receive)• Directory: Hospital census list used by volunteers and
operators with name and room
HIPAA Job Specific Education 8
How will HIPAA affect you?• Coversheets with confidential statement need to be used on
all external faxes. • Screens need to be placed out of public view when
possible• Patient charts need to be placed in secure area• PHI needs to be placed in Shred-It containers for disposal• Patient family members will be given a passcode for
information other than directory releases• Patient information should only be accessed if there is a
need to know
NEED TO KNOW
• Any person (including students) who have access to the facility or Company systems or applications may only view information contained in that system when there is a NEED TO KNOW for purposes of treatment, payment or operations.
HIPAA Job Specific Education 9
Accessing Your Medical Record
• You may never access your own medical record via the Meditech system.
• You may access your own medical record by following the procedures as required for any patient.
HIPAA Job Specific Education 10
MONITORING NEED TO KNOW
• HCA’s IT&S Department monitors all individuals who access its medical records through ongoing “Appropriate Access” audits.
• When IT&S determines a student may have accessed a medical record without the NEED TO KNOW, IT&S will contact that student’s supervisor.
HIPAA Job Specific Education 11
HIPAA Job Specific Education 12
How will HIPAA affect you?• Registration will give out a Notice of Privacy Practices
brochure to every patient concerning our patient privacy protection policy.
• Patients will be given the option to “opt out” of our directory.
• Patients have a right to a copy of their medical record• Authorizations need to be obtained from patient to release
information for reasons other than for treatment, payment or healthcare operations (TPO)
HIPAA Job Specific Education 13
What is Protected by HIPAA (PHI)? Any one of the following is PHI.
• Name• Address including street, city, county, zip code and equivalent
geocodes• Names of relatives• Name of employers• Birth date• Telephone numbers• Fax Numbers• Electronic e-mail addresses• Social Security Number• Medical record number
• Health plan beneficiary number • Account number• Certificate/license number• Any vehicle or other device serial number• Web Universal Resource Locator (URL)• Internet Protocol (IP) address number• Finger or voice prints• Photographic images• Any other unique identifying number, characteristic, code
HIPAA Job Specific Education 14
What is a Covered Entity (CE)?
• Health plans, Health care clearinghouses, and Health care providers that transmit electronically for billing– Examples
• Hospitals• Physician Practices• Insurance companies• Ambulance Transportation Services• Hospice • Home Health
HIPAA Job Specific Education 15
What does that mean to me?• Information may be shared without patient
authorization as it relates to treatment, payment or hospital operations (TPO)
• When in in doubt… check with the Charge Nurse or Department Director prior to sharing information without patient authorization.
HIPAA Job Specific Education 16
Disclosing PHI to Family Members and Friends Who
Call the Unit
• Patients are assigned a four-digit passcode. Family members and friends need this passcode to be able to get non-directory information
• Distribution of the passcode is the responsibility of the patient
HIPAA Job Specific Education 17
Verification of Requestors• When a Covered Entity makes a Request
via phone they will need:– Patient SS# + DOB and one of the following:
– Account number, street address, MR#, birth certificate, insurance card or policy number
– Scenario• An unknown physician calling from cell phone must
have the patient SS# + DOB and one of the above prior to information being provided to that physician.
HIPAA Job Specific Education 18
External Faxing Guidelines• Limit when possible• Verify fax number• Fax machine must be located in secure location• ALWAYS use cover sheet with confidentiality
statement for transmittals• Highly sensitive information should NEVER be
faxed (HIV status, abuse records, etc.)
HIPAA Job Specific Education 19
Patient’s Right to Access• Patients may request a copy or inspection of
their medical record.• BUT, students should not provide a copy to
the patient nor allow the patient to inspect their medical record.
• Students should direct the patient’s request to Charge Nurse for follow up.
HIPAA Job Specific Education 20
Patient’s Right to Opt out of Directory
• A patient can opt out of directory at anytime but this will most likely happen during the admission process.
• IF A PATIENT OPTS OUT OF THE DIRECTORY… you may not acknowledge the patient is in the facility AND
• You may not give information about the patient to family and friends unless they provide the 4-digit passcode.
HIPAA Job Specific Education 21
Right to Privacy Restrictions• Patients have the right to request a privacy
restriction of their PHI• But, NEVER agree to a patient requested
restriction • All requests must be made in writing and
given to the FPO to make a decision on• NO request is so small that it should not be
routed to the FPO
HIPAA Job Specific Education 22
Patient Privacy Complaints
• ALL privacy complaints must be routed to the FPO
• No privacy complaint is too small or insignificant
HIPAA Job Specific Education 23
Notice of Privacy Practices• Patient will receive a Notice of Privacy Practices
(NOPP) upon each registration• Notice of Privacy Practices outlines patient rights
– Right to access– Right to amend– Confidential Communication– Right to Privacy Restriction– Right to Opt out of Directory
• Ask registration for a copy of the NOPP
Breach Notification• Beginning February 2010…HITECH
provisions require the following notifications when breaches (as defined in the regulations) occur:– To the patient (the facility is required to send a
letter to the patient). – To the Department of Health and Human
Services (the facility notifies DHHS online).– To the media when the breach involves more
than 500 individuals in the same jurisdiction.HIPAA Job Specific Education 24
HIPAA Job Specific Education 25
Security Compliance TAKE IT SERIOUSLY
• Log off terminals when not in use.
• Computer screens should be positioned so information (PHI) is not readable by the public
• Printers should be in protected locations so that printed information is not accessible by the public.
• PHI must be disposed using SHRED –IT bins.
HIPAA Job Specific Education 26
Common Exposures To Avoid
• Discussions of patient information in public places such as elevators, hallways and cafeterias
• Printed or electronic information left in public view (e.g., charts left on counters)
• PHI in regular trash
• Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment
SOCIAL NETWORKING
• NEVER discuss patients or patient information (even if you think it is unidentifiable) on a social network site, such as Face Book or Twitter.
HIPAA Job Specific Education 27
HIPAA Job Specific Education 28
Disciplinary Action and/or School Notification
3 levels of violations with disciplinary action and/or notification to the school:– Accidental disclosure of PHI may result in an oral or
written warning.– Purposeful violation of privacy policy may result in
notification to school and dismissal from hospital’s student program.
– Purposeful violation of privacy policy with associated potential for patient harm will result in notification to school and dismissal from the hospital’s student program.
HIPAA Job Specific Education 29
Tracking Your TrainingFederal law requires each HCA facility to document
that you have successfully completed HIPAA training and to track that documentation for six (6) years.
1. You must successfully pass the HIPAA Quiz;
2. Receive a Certificate of Completion from the facility; &
3. Ensure your facility has a copy of both your Quiz and Certificate for their records.
Please keep a copy of your Quiz and the Certificate for your records
HIPAA Job Specific Education 30
STOP!! STOP!! STOP!! STOP!! Your training is NOT complete!!