Presentation on theme: "Protecting Patient Privacy:"— Presentation transcript:
1Protecting Patient Privacy: HIPAA Guidelines forHealth Care Providers
2Overview By the end of this presentation, you should be able to: Identify 3 key responsibilities you have for the protection of personal health information (PHI)Identify new patient rights under the HIPAA Privacy RuleIdentify categories of authorization for disclosure of health informationIdentify safeguards to apply to facsimile transmission(s) of health information
3Notice of Privacy Practices Serves as the main communication to patientsEducates patients on:Their rightsYour responsibilities for protecting their PHIHow you may use and disclose their PHIDirects patients where to go for questions and concerns regarding their PHI
4Notice of Privacy Practices (cont.) Patients are provided the notice at their first service/registration encounterPatients sign an acknowledgement that they received the noticeAcknowledgement of receipt is then part of the medical record
5Patient Privacy Rights Patients have a right to:Request restrictions on use and disclosure of their informationRequest amendments to their health informationRequest an accounting of disclosuresComplain about health information disclosure practices
6Your Obligations to the Patient Effectively manage and safeguard their personal health informationFollow policies and best practices for the management of personal health information (PHI)Support and encourage patient rights regarding their PHI
7Patient Pays Cash for the Visit HIPAA/HITECH now allows the following:When a patient pays cash for a visit and do not want their insurance company billed for the service, the healthcare provider cannot share information about the visit or the treatment given with the patient’s health plan, or other requesting entity without the expressed written permission of the patient.
8Health Information Policies PHI policies guide the following:Access to personal health informationUse of personal health informationDisclosure of personal health information
9Access to PHIBased on “need to know” and “minimum necessary” principlesIndividuals needing access to PHI include those individuals:Providing health carePerforming payment or billing activitiesCan only provide information on a specific visitParticipating in health care operations
10Use of PHIOccurs with information gathered while providing patient care, and is kept under direct controlExamples include:Informing phlebotomist on what blood tests are being orderedA HCP discussing case with specialist patient was referred to
11Payment for ServicesActivities that are intended to obtain payment for healthcare services include:Insurance verificationEligibilityBilling & collectionsActivities to obtain payment generally do not require a patient authorizationThe bill the patient would receive is also HIPAA protected
12Treatment, Payment, & Healthcare Operations (TPO) Examples of permitted disclosures for TPO include:Providing medical treatment and servicesCoordinating continuing care needs and servicesObtaining payment for services
13Health Care Operations Activities that support health care operations include:Quality Assurance & performance improvementMedical staff peer reviewAuditing and monitoringCompliance reviews
14Disclosure of PHI Disclosure occurs when: PHI is communicated outside of the facility’s health care networkData in an electronic claim is submitted for paymentAuthorization for use and disclosure form must be signed by the patient/legally authorized individual, dated and have a time limit of the authorization.
15Disclosures Mandated or Permitted by Law Disclosures that are mandated or permitted by State or Federal law, or by certain government agencies, do not require patient authorizationExamples include:Organ and tissue donationPublic health activitiesHealth oversight agenciesCoroners, medical examiners, and mortuariesMilitary commandsWorkers compensationCorrectional facilitiesLaw enforcementSerious threat to health and safety
16Permitted Disclosures to Law Enforcement Responding to a court order, subpoena, or similar processIdentifying or locating a suspect, witness, or missing personReporting about crime victims
17Documentation for Permitted and Mandated Disclosures Certain disclosures of PHI must be documented for purpose of accounting disclosuresDisclosures may be documented:In the clinical recordOn a mandated reporting form, i.e., abuse report or Confidential morbidity report to Public HealthOn a PHI Disclosure Documentation form
18Requests for Information Respond to requests when necessary to ensure patient safety, treatment, and continuity of careClinical staff may disclose PHI to individuals directly involved in the patient’s care, as long as the patient identifies the individuals who may be provided such information
19Handling Requests for Information Validate the identity and authority of the requestorCheck photo ID for in-person requestsValidate phone requests by call back to the requestorDocument disclosure of the information
20What should be documented? Date of disclosureName of entity or person receiving the informationBrief description of PHI disclosedBrief purpose of the disclosureLegible signature of person providing the information
22Disclosures within TPO that Require Patient Authorization Drug and alcohol abuse treatmentHIV and AIDS test resultsMental/behavioral health
23Patient Authorization An Authorization for Use or Disclosure Form must be completed.If any of the required elements are not completed on the authorization form, the authorization is INVALID and you may not act on the request!
24Pt. Requests for Restrictions on Uses and Disclosure of PHI Requests must be in writingRequests will be evaluated on an individual basisRefer requests to a Director or the Risk Management departmentAccommodating requests is based on the information system’s capabilities to restrict information
25Disclosures that Must be Accounted For Disclosures to law enforcementAbuse, assault, neglectJudicial and administrative proceedingsPublic Health activitiesData collected in preparation for researchAgency health oversight activitiesOrgan and tissue donationCoroner
26Disclosures that do not need to be Accounted for TPOPHI given to the patient or their representativeWhere an authorization has been obtainedUses/disclosures to HCP involved in patient’s care and where authorizedNational security or intelligence
27Patient Requests for Accounting of Disclosures Patients may request an accounting of certain disclosures of their PHIDisclosures made for TPO or disclosures authorized by the patient are not included in the accountingRefer such requests to the Risk Management department
28Patient Requests for Alternative Information Patients may request that communications about medical matters be made in a certain way or to a certain locationReasonable requests should be accommodated
29Patient Requests to View their Health Information Open medical records are incomplete and require authorization from the patient’s healthcare provider (HCP)Obtain an order from the HCP and ensure an appropriate review in the presence of a member of the health care team
30Denying Patient Requests to View their Health Information Patient access may be denied in certain instancesConsult with Center’s Director or the University’s Compliance Office
31Patient Requests to Inspect or Obtain a Copy of their PHI Provide the patient with an “Authorization for Use and Disclosure of Health Information” formThe Center’s Director is responsible for:Reviewing request with HCPIf appropriate, providing information and copies of information to the patient upon request
32Patient Requests to Amend their Health Record Patients must submit the request in writing to the designated Director named on the Notice of Privacy PracticesDirector reviews records with HCP
33Amendment Requests We cannot change the record if: It was not created by one of our HCPRecords are confidential and aren’t available for inspectionNot part of the set of records designated as covered by HIPAARecord is accurate and completePolicy requires response to patient within 10 working days of request, 20 days if records not on site
34Patient ComplaintsPatients complaints or concerns regarding information practices should be addressed through existing channelsCenter DirectorClinical DeanUniversity Compliance OfficePatients may also file a written complaint and request an investigation with the Department of Health and Human Services (DHHS)Each Center’s Notice of Privacy Practices provides information on where to send the complaint
35Reporting ViolationsIf it is discovered that HIPAA/HITECH protected information was inappropriately accessed or complaints are received related to HIPAA/HITECH, this should be immediately reported to the compliance office for investigation.
36Faxing Health Information Faxing of PHI is another key privacy considerationConsider faxing PHI when the information is:Urgently needed for patient care or to obtain paymentAuthorized by the patient or his/her legal representative
37Guidelines for Faxing PHI Locate fax machines in secure locationsSecure incoming faxesVerify the accuracy of fax numbers before sending outgoing faxesUse a fax cover sheet for all transmissionsPre-program frequently called numbersNotify others of any fax number changes
38Handling Misdirected Faxes Obtain the correct fax number and immediately transmit a request to the unintended recipient requesting that the material be destroyed immediately or returned by mailComplete a Incident Report (check with your Director or manager for guidance)Follow Center proceduresAlso, do not send credit card information via .
39Emailing Medical Records Requires written permission from the patient or legally authorized guardian/individual.Even with consent, records should be sent via encrypted to ensure only those with permission to access the records receive them.
40Email Regarding Patients Never send unencrypted information over the internet that you would not place on a billboard.You cannot control how a message you generate is forwarded or shared once it is sent!
41Statement to use when Emailing Patient or Medical Records The information transmitted herewith is privileged / confidential information intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
42Penalties: Civil If knowingly release PHI $100 per failure to comply May not exceed $25,000 per year for multiple violations
43Penalties: CriminalObtains or discloses PHI fine of $50,000 and up to 1 year imprisonmentWrongful conduct, false pretenses $100,000 and up to 5 years in prisonIntent to sell, transfer or use PHI for gain $250,000 and 10 years in prison
44Your Responsibilities Control access to PHIUse and disclose only the information necessary to meet the needObtain authorizations for disclosuresBe aware of penalties for privacy/security breachesReport breaches to Compliance Office