2. Mount Auburn Hospital (MAH) HIPAA Training: Ensuring Privacy for our Patients

3. Privacy zInformation about ourselves we prefer not to share without permission zOur right to keep this information from others if we choose zWe expect healthcare providers and workers to protect the privacy of the information they learn about us

4. Goals vExplain the basic principles of the Privacy Rule By the end of this program you will be able to:  Describe the basic policies/procedures you need to use to protect patient information  Describe patients’ rights  Identify your role in protecting patient information  Get help if you have a question

5. Agenda zWhat is HIPAA/The Privacy Law? zWhy is it important? zWho must follow the law? zWhat are the Mount Auburn Hospital’s responsibilities? zWhat does this mean for you?

6. The Privacy Law zHIPAA—Health Insurance Portability and Accountability Act of 1996. zProtects all health information created by a healthcare provider, health plan, or healthcare clearinghouse zDefines who is allowed to see or use a patient’s private health information

7. The Privacy Law zProtects the information whether it is: Oral Written Electronic

8. Why is Patient Privacy important? zSafeguards protected identifiable patient health information zProvides patients with more control over what happens with their info zProvides patients with informed choices about how their information is used zBalances our need to use information to treat patients, teach, conduct research with the patient’s desire/need for privacy

9. Protected Health Information (PHI) zAny information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse zRelates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

10. Protected Health Information Includes, But is Not Limited to: zMedical Records zBilling information (bills, receipts, EOBs, etc.) zLabels on IV bags zTelephone notes (in certain situations) zTest results zPatient menus zPatient information on a palm device zX-rays zClinic lists

11. Who Must Follow the Law? zHealthcare Providers (and their Workforce) yAnyone who provides services, care, or supplies that relate to the health of a person (such as a hospital, doctor, dentist, or others) zHealth Plans (such as Insurers, HMOs, etc.) zHealthcare Clearinghouses This means workforce members of MAH and Credentialed Physicians at MAH for services provided at the hospital.

12. Am I Part of the Workforce? zYou are considered a part of the Workforce if you are a: yPhysician yEmployee yVolunteer yTemporary Employee yContractor yConsultant

13. What Are the Mount Auburn Hospital’s Responsibilities? zProvide patients with a notice of our privacy practices zProtect the information from use or disclosure to those not allowed to see it by law or by the patient zInvestigate complaints of breaches zDiscipline breaches of confidentiality

14. The Notice of Privacy Practices zDescribes the ways we may use health information a person gives to us zDescribes the rights the person has to protect their information zDescribes the duties we have to the patient to protect their information zInforms the patient we have a complaint and investigation process zMust be given to a patient before the first treatment encounter and written acknowledgment obtained

15. What are the Patient’s Rights? zTo have their information protected zTo be provided with a notice of our privacy practices zTo have their questions answered zTo see their information if they wish (restrictions apply) zTo obtain copies of their records (for a fee) zTo request to change their records zTo limit (under specific circumstances) the use/disclosure of their information

16. What Does This Mean for You? zBe careful with information to which you have access. Ask yourself: yAm I allowed to have this information? Is it required for me to do my job? yIs the person with whom I am about to share this information allowed to receive it? Do they need the information to do their job? yIf I were the patient, and this were my information, how would I feel about it being shared?

17. What Must I Do to Ensure Patient Privacy? zBe aware of who is around you when you are discussing patient information zDispose of information appropriately zUse cover sheets for faxing zShare information only with those who are allowed to have it zIf in doubt, ask for help

18. You Should be Aware of Patient Privacy in: zEnsuring computer security zSending/receiving faxes zDisposing of information zUsing/disclosing information zConducting everyday-work practices Each of these aspects of Patient Privacy are discussed in detail in the next few slides.

19. Ensuring Computer Security zNever share passwords zLock workstation/log off when leaving a workstation zPosition workstation so screen does not face a public area if possible zDo not send email containing patient- identifiable information zRefer to MAH e-mail guidelines in the Administrative Policy Manual or on the intranet Continues

20. Ensuring Computer Security, continued zPersonal databases containing patient information are prohibited unless: ythey support “TPO” ythey contain “de-identified” information (as per HIPAA definition), or yyou have received an IRB approval zEach DB has an “information custodian” who is responsible for maintaining security & access for the database zStore databases on a secure machine or network file area, not the “C” drive

21. Sending/Receiving Faxes zLeast controllable type of communication zWhen faxing information: yUse a cover sheet!! yVerify the sender has the correct fax number, and yThe fax machine is in a secure location, and/or the receiver is available immediately to receive the fax Continues

22. Sending/Receiving Faxes, continued zWhen receiving faxed patient information: yImmediately remove the fax transmission from the fax machine, and deliver it to the recipient yIf information has been sent in error, immediately inform the sender, and destroy the faxed information (deposit in shredding bin, or other method)

23. Disposing of Information Do not place identifiable health information in regular trash! Rip, shred, or otherwise dispose of identifiable health information

24. Using and Disclosing Information zYou may use/disclose patient information without specific authorization from the patient for: yTreating a patient yGetting paid for treating a patient yOther healthcare operations These uses are commonly referred to as TPH (Treatment Payment Healthcare Operations) or TPO

25. About Authorizations zWhat is an Authorization? yPermission from the patient to release information yMust be obtained where Protected Health Information is used for other than TPH (except psychotherapy) yAre time limited yMay be revoked by the patient zWhat is Needed for an Authorization yState to whom information will go yState for what purpose the information will be used yState what information will be sent

26. There are Times when Information May be Disclosed Without Authorization zIf Required by Law yCourt Order ySubpoena zPublic-Health Reporting zIncidental Disclosures yOverhearing a patient’s conversation with their doctor or nurse in a semi-private room These are discussed in more detail on the following slides

27. Disclosures Required by Law zIf the release complies with and is limited to what the law requires, you may give information to (see “Authentication” below): yPublic health authorities yHealth oversight agencies yEmployers responsible for workplace surveillance xMust post notice of privacy practices yCoroners, Medical Examiners, and Funeral Directors yOrgan procurement organizations

28. About Incidental Use or Disclosure Hallmarks yOccurs as by-product of an otherwise permitted use or disclosure yCannot be reasonably prevented yIs limited in nature yIs permissible to the extent that reasonable safeguards exist

29. Authentication zTo the degree practicable you must ensure that the person to whom you give the information is the person allowed to receive it yAsk for identification

30. Minimum Necessary The Privacy Law generally requires that we all take reasonable steps to limit the use or disclosure of, and requests for Protected Health Information (PHI) to the minimum amount of information necessary to accomplish the intended purpose

31. Minimum Necessary zDisclosures to a health care provider for treatment purposes zMade pursuant to an authorization by the individual zDisclosures to the individual zUses/disclosures required for compliance with standardized HIPAA transactions zDisclosures to DHHS required under the rule for enforcement zUses/disclosures required by other law Does not apply to Does not apply to:

32. Accounting for Disclosures zUpon request, we must provide patients with a list of the names of people to whom we have disclosed the patient’s information except for: yInstances when the information is disclosed to the individual themselves yTPO yUnder a specific authorization

33. How to Account for Disclosures Unless limited by the request, the accounting must cover the full six years prior to the request, and must include: yTo whom information was disclosed yWhen it was disclosed yWhat was disclosed yWhy it was disclosed

34. Conducting Your Everyday- Work Practices zEvaluate how you disclose patient identifiable data zLook for opportunities to streamline work and reduce unnecessary uses and/or disclosures yWhat data do you create? yWhat data do you send to others outside of MAH? For what purpose? yWhat data do you receive from others? For what purpose?

35. Guidelines for Directories zInformation in a patient directory is limited to: yName yLocation within facility yCondition in general terms yReligious affiliation may be given to clergy zThis information may be given out only if the person asks for the patient by their full name

36. Guidelines for Fundraising zWe may use PHI for fundraising only if: yWe only use demographic information and dates when care provided yWe tell patients in our Notice of Privacy Practices that we use some of their information for fundraising zMust allow patients to opt out of this use zMust make reasonable effort not to send further materials to patients who opt out

37. Guidelines for Business Associates zPersons or entities to whom a covered entity discloses PHI so that the person or entity may carry out, assist with, or perform a function on behalf of the covered entity who created the PHI zDoes not apply to providers who receive information for treatment purposes

38. z Covered entity must obtain, typically by contract, satisfactory assurances that the business associate will: y Use the information only for purposes for which they were engaged by the covered entity y Will safeguard the information from misuse, and y Will help the covered entity comply with the covered entity’s duties to provide individuals with access to health information about them and a history of certain disclosures z PHI disclosed may not be for independent use by the business associate Business Associates, continued

39. Who is Responsible? zWe are all responsible! yAnyone who cares for patients, works in the hospital environment, or is responsible for using identifiable information in order to perform their jobs yAnyone who works for providers that perform functions on our behalf that involve patient identifiable information

40. What Else Can You Do? zYou’re responsible for protecting patient privacy and confidentiality does not end with your work shift zDon’t divulge any patient information when in an informal atmosphere or social setting zIf asked about a patient, simply reply “I’m sorry, that information is confidential” zRespect everyone as if they were your family member!

41. How to Report a Privacy Concern or Breach Contact Your supervisor Patient Relations Hotline (617) 499-5100 MAH Privacy Officer (617) 441-1665

42. Where Can You Get Help? zAsk your supervisor zCheck our HIPAA web site on the MAH CareGroup Portal zCall the Privacy Officer (617) 441-1665 zBy e-mail at privacy@mah.harvard.edu@mah.harvard.edu

43. Thank you zYou have completed the MAH general training about the Privacy Rule zYour job may require more specialized training which will be done by your manager zThank you for your support in our efforts to protect the private information of our patients Remember….

44. Be careful with information to which you have access. Ask yourself: yAm I allowed to have this information? Is it required for me to do my job? yIs the person with whom I am about to share this information allowed to receive it? Do they need the information to do their job? yIf I were the patient, and this were my information, how would I feel about it being shared?