HIPAA Privacy Training - State University Of New York At New Paltz

HIPAA Privacy Training

Two (2) parts of HIPAA covered inthis presentation: HIPAA Privacy – Protection for the privacyof Protected Health Information (PHI)effective April 14, 2003 (includingStandardization of electronic datainterchange in health care transactions,effective October 2003) HIPAA Security – Protection for thesecurity of electronic Protected HealthInformation (e-PHI) effective April 20, 2005

What is the difference betweenPrivacy and Security? The Privacy Rule sets the standards forhow covered entities and businessassociates are to maintain the privacy ofProtected Health Information (PHI)The Security Rule defines the standardswhich require covered entities to implementbasic safeguards to protect electronicProtected Health Information (e-PHI)

The HIPAA Training Program will help you tounderstand: What is HIPAA?Who has to follow the HIPAA law?When is the HIPAA implementationdate?How does HIPAA affect you and yourjob?Why is HIPAA important?Where can you get answers to yourquestions about HIPAA?

What is HIPAA? HIPAA is theHealth InsurancePortability andAccountability Actof 1996.HIPAA is a FederalLaw. HIPAA is aresponse, byCongress, tohealthcare reform.HIPAA affects thehealth careindustry.HIPAA ismandatory.

HIPAA Protects the privacy and security of apatient’s health information.Provides for electronic and physicalsecurity of a patient’s healthinformation.Prevents health care fraud and abuse.Simplifies billing and other transactions,reducing health care administrativecosts.

Who must follow the HIPAALaw?Covered Entities must followthe HIPAA Law.

Examples of Covered Entities ProvidersHealth PlansClearinghouses for Electronic BillingBusiness Associates (throughcontracts)

Covered Entity? The key is whetherany of the CoveredTransactions areperformedelectronically

Covered Entity AlwaysOnce you are part of a covered entity,you are a covered entity with respect toall Protected Health Information (PHI),whether it is transmitted electronically, inpaper format, or transmitted orally.

Covered Transactions Consist of Enrollment and dis-enrollmentPremium paymentsEligibilityReferral certification and authorizationHealth claimsHealth care payment and remittanceadvice

What Patient Information Must WeProtect? Protected Health Information (PHI)ØRelates to past, present, or futurephysical or mental condition of anindividual; provisions of healthcare to anindividual; or for payment of careprovided to an individual.ØIs transmitted or maintained in any form(electronic, paper, or oralrepresentation).ØIdentifies, or can be used to identify theindividual.

Examples of PHIPHI Health Information with Identifiers NameAddress (including street, city, parish, zipcode and equivalent geocodes)Name of employerAny date (birth, admit date, discharge date)Telephone and Fax numbersElectronic (email) addressesSocial Security NumberMedical Records

A Covered Entity may not use or disclose anindividual’s protected healthinformation, except asotherwise permitted, orrequired, by law.

But A Covered Entity MAY Use and Share aPatient’s PHI forØTreatment of the patient, includingappointment remindersØPayment of health care bills

And for Business and managementoperationsDisclosures required by lawPublic Health and other governmentalreporting

“Treatment” Includes Direct patient careCoordination ofcareConsultationsReferrals to otherhealth careproviders

“Payment” Includes any activities requiredto bill and collect for health care servicesprovided to patients.“Health Care Operations” Includes businessmanagement and administrative activities,quality improvement, compliance,competency, and training.

A Covered Entity Must use or share only the minimumamount of PHI necessary, except forrequests madeØ for treatment of the patientØ by the patient, or as requested by the patient toothersØ by the Secretary of the Department of Health &Human Services (DHHS)Ø as required by lawØ to complete standardized electronictransactions, as required by HIPAA

For many other uses anddisclosures of PHI A Covered Entity must get asigned authorization from thepatient (for example, to disclosePHI to a pharmaceuticalcompany).

The Authorization MUST Describe the PHI to be used or releasedIdentify who may use or release the PHIIdentify who may receive the PHIDescribe the purposes of the use ordisclosureIdentify when the authorization expiresBe signed by the patient or someonemaking health care decisions (personalrepresentative) for the patient (as perPolicy GC-022)

HIPAA RequiresA Covered Entity to: Give each patient a Notice of PrivacyPractices that describes:Ø how the facility can use and share his or herProtected Health Information (PHI)Ø a patient’s privacy rightsand Request every patient to sign a writtenacknowledgement that he/she has receivedthe Notice of Privacy Practices.

Patient Rights The right to request restriction of PHIuses & disclosuresThe right to request alternative forms ofcommunications (mail to P.O. Box, notstreet address; no message on answeringmachine, etc.)The right to access and copy patient’sPHIThe right to an accounting of thedisclosures of PHIThe right to request amendments toinformation

How does HIPAA affect MY job?

Well, if You currently see, use, or share a person’sPHI as a part of your job, HIPAA maychange the way you do your jobYou currently work directly with patients,HIPAA may change the way you do yourjobAs part of your job, you mustprotect the privacy of the patient’sPHI

When can you use PHI?Only to do your job!

At all times Protect a patient’s information as if it wereyour own! Look at a patient’s PHI only if you need it toperform your job.Use a patient’s PHI only if you need it toperform your job.Give a patient’s PHI to others only when it’snecessary for them to perform their jobs.Talk to others about a patient’s PHI only if itis necessary to perform your job, and do itdiscreetly.

For Example 1.You are a physician whose friend’s wife is ina coma in the hospital after an accident. Heasks you to review the admitting physician’sorders and see if you concur. What can youlegally do under HIPAA?A. You can look at her chart so you can answeryour friend’s questions about his wife’scondition.B. You can ask the charge nurse on the floor tolook into her records for you.C. You can tell your friend that you can only look athis wife’s medical records if her physician, thepatient, or in this case, the patient’srepresentative, allows you to do so. Suggest thatyour friend ask to discuss her treatment andprogress with the attending physician.

Answer:C. Under HIPAA, you are only allowed to use informationrequired to do your job. Since you are neither theattending physician nor part of the patient’s care team, it isagainst the law to access the patient record or asksomeone to access it on your behalf—even though youmay know the person and just want to be helpful.Remember that, if you were in a similar situation, youmight not want your colleagues going through your ownmedical records, or those of your spouse or close friend.

Public Viewing / Hearing of PHI Refrain from discussing PHI in public areas,such as elevators and reception areas,unless doing so is necessary to providetreatment to one or more patients.Medical and support staff should take care ofsharing PHI with family members, relatives,or personal representatives of patients.Information cannot be disclosed unless thepatient has had an opportunity to agree withor object to the disclosure.Personal representatives are thoseindividuals who, under Louisiana law, areable to make healthcare decisions on behalfof the patient.

For ExampleDr. Fortissimo was eating breakfast in the MedSchool Cafeteria one Monday morning, and talkingon his cell phone to another doctor. During theconversation, he referred to the patient by name,and described her diagnosis. The cafeteria workerat the next table heard the call. What could havebeen done differently to protect the patient’sprivacy?A.B.C.The patient’s privacy was protected; nothing was donewrong, since no PHI was mentioned.It is important to be aware of your surroundings when youdiscuss patient information (PHI). The patient’s caseshould have been discussed in a more private location, or,at least, in a low voice that could not be overheard.Other customers should not be allowed to eat in thatsection of the cafeteria so as to avoid such situations.

Answer:B.Although HIPAA allows incidentaluses and disclosures, this type ofdisclosure is not allowed. PHIincludes oral communications. Thepatient’s case should only havebeen discussed in a location thatprovided for the privacy of theinformation discussed.

Use and Disclosures of PHI for Research The I.R.B. (Institutional Review Board) may notauthorize the use or disclosure of PHI for researchpurposes except:Ø For reviews preparatory to research;Ø For research on the protected health informationof a decedent;Ø If the information is completely “de-identified”;Ø If the information is partially de-identified into a“limited data set” and the recipient of theinformation signs a data use agreement to protectthe privacy of such information;

Why is protecting privacy andsecurity important? We all want our privacy protectedwhen we are patients – it’s the rightthing to do.ØDon’t be careless or negligent with PHIin any form. HIPAA and federal and state lawrequire us to protect a patient’sprivacy.

Penalties are 100 per violation 25,000 for an identical violation within oneyear 50,000 for wrongful disclosure 100,000 and/or 5 years in prison forwrongful violation for obtaining PHI underfalse pretenses 250,000 and/or 10 years in prison ifcommitted with intent to sell or transfer forcommercial advantage, personal gain, ormalicious harm, includes obtaining ordisclosing.

Protecting Patient Privacy RequiresUs to Secure Patient Information

Downloading/Copying/Removing Employees should not download, copy, orremove from the clinical areas any PHI,except as necessary to perform their jobs.*At SUNY New Paltz students are notallowed to remove any PHI from the clinicalarea.

Faxing Faxing is permitted. Always include, with the faxedinformation, a cover sheet containing a ConfidentialityStatement:Ø The documents accompanying the transmission containconfidential privileged information. The recipient of thisinformation is prohibited from disclosing the contents of theinformation to another party.Ø If you are neither the intended recipient, or the employee oragent responsible for delivery to the intended recipient, youare hereby notified that disclosure of contents in any manneris strictly prohibited. Please notify [name of sender] at[facility name] by calling [phone #] immediately if youreceived this information in error.

Information that should not be faxed(except in an emergency): Drug dependencyAlcohol dependencyMental illness or psychologicalinformationSexually-transmitted disease (STD)informationHIV status

Locating a Fax Machine Location should be secure wheneverpossible,In an area that is not accessible to thepublic, andWhenever possible, in an area thatrequires security keys or badges forentry.

So, what IS “e-PHI”? e-PHI (electronic Protected Health Information) iscomputer-based patient health information that isused, created, stored, received ortransmitted using any type of electronicinformation resource. Information in an electronic medical record,patient billing information transmitted to a payer,digital images and print outs, information when itis being sent to another provider, a payer or aresearcher.