Presentation on theme: "1 Protecting Patient Privacy Health Insurance Portability and Accountability Act of 1996 HIPAA."— Presentation transcript:
1 Protecting Patient Privacy Health Insurance Portability and Accountability Act of 1996 HIPAA
2 What is HIPAA And what does it govern? A multifaceted piece of regulation covering three areas: 1.Insurance portability 2.Fraud enforcement (accountability) 3.Administrative simplification (reduction in health care costs) a) privacy b) security
3 The Compliance Deadline for HIPAA Privacy April 14, 2003
4 Covered Entities Include most providers: Hospital, physicians practice, lab, nursing home, pharmacy, other provider organization Clearinghouses Health plans
5 Protecting Privacy The Privacy Regulation Protects individually identifiable health information(PHI) that is transmitted or maintained in any form by covered entities.
6 Individually Identifiable Information (PHI) Includes demographic information that identifies an individual and, Is created or received by a health care provider, health plan, employer, or health care clearinghouse. Relates to the past, present, or future physical or mental health or condition of an individual. Describes the past, present or future payment for the provision of health care to an individual.
7 Which of the following situations describe proper techniques for protecting a patient’s privacy and confidentiality ? 1. A doctor brings a patient into an unused room to discuss the patient’s medical condition. 2. A doctor who is reviewing a patient’s record leaves the folder in the doctor’s lounge to review later. 3. A doctor e-mails a physician friend about a patient’s condition. He explains the condition but omits any identifying information regarding the patient.
8 Confidential Information What Makes Information Identifiable? Photos Names Social Security numbers Addresses Medical record numbers Relatives’ names Member/account numbers Employers Certificate numbers Dates of Birth Voiceprints Telephone and fax numbers Fingerprints
9 Case Scenario # 1 Consider the example of a male patient in the waiting room. He’s the only male in the room. His physician is discussing his condition- testicular cancer- with a nurse, and everyone in the waiting room can hear the conversation. What could have been done differently to protect this patient’s privacy?
10 Answer The caregiver should have tried to find a private room or area where details could not be overheard. Even when the patient’s name is not specifically used in conversation,remember that details about his condition can be identifying factors in certain circumstances.
11 Case Scenario # 2 Mr. Olsen, a patient in a facility, has had an adverse reaction to his medication. The nurse tries several times to reach the patient’s physician for instructions, with no success. Finally, she reaches the club where the physician is attending a social event. She asks the receptionist to tell the physician that Mr. Olsen has had an adverse reaction to his medication, and she urgently needs a call back. What should the nurse have done differently?
12 Answer Leaving a message with someone other than the physician that provides any identifying details about the patient or his condition is a breach of confidentiality. If the person receiving the message knows Mr. Olsen, the information about his presence at the facility and his condition could lead to speculation about the patient. The nurse should have simply requested an immediate call back from the physician about an urgent patient matter.
13 Case Scenario # 3 Susan is a nurse in the ER of a city hospital, and she has just heard through the grapevine that a fellow nurse is pregnant. The other staff members would like to give this nurse a baby shower, but nobody knows when the baby is due or whether it is a boy or girl. Susan has access to the records and could easily find the answers to both questions. Should Susan try to get the information?
14 Answer Absolutely not. This is clearly an unauthorized use of medical information. Remember that you should never look at the records of patients you are not helping to care for.
15 Authorization Authorization is required for the use and disclosure of health information( PHI) for purposes other than treatment, payment or health care operations.
16 Ways to Protect Confidentiality Minimum necessary standard: Health care provided must make a reasonable effort to disclose or use the minimum necessary amount of protected health information( PHI). Clinical staff are allowed to look at patient’s entire record and share information freely with other clinicians. Do not pass on any PHI.
17 Ways to Protect Patient Privacy Close patient room doors when discussing treatments and administering procedures. Close curtains and speak softly in semi- private rooms when discussing treatments and administering procedures. Avoid discussions about patients in elevators and cafeteria lines.
18 Ways To Protect……….. Do not leave messages regarding patient conditions or test results on answering machines or with anyone, other than the patient. Avoid paging patients using information that could reveal their health issues.
19 Maintaining Records Do not leave it unattended in an area where others can see it. When finished using PHI return it to its appropriate location. When finished looking at electronic PHI log off the system. Do not leave information visible on an unattended computer monitor.
20 Maintaining Records….. When discarding paper PHI make sure the information is shredded in a secure bin. Leaving paper patient information intact in a wastebasket could lead to a privacy breach.
21 Security Regulation and Electronic Information Send and store information on public networks only in encrypted form Implement procedures by which it is possible to identify the senders and recipients of data and that they are authorized to receive and decrypt the information Use passwords or other authentication technologies to protect information
22 Case Scenario # 4 It has been regular practice to leave the records system open and logged on at the nurses’ station computer at the end of a shift. This saves time during shift changes for the staff who need to retrieve records. Is this an allowable practice under HIPAA?
23 Answer NO. it may be a timesaver, but this practice is not allowed. It is equivalent to sharing a password. When many employees gain access to the system under the same password, there is no way to audit who sees the records.The system should be log off when not in use.
24 Case Scenario # 5 A man tells you that he is here to work on the computers. He wants your password to log on to the electronic medical record system. What do you do?
25 Answer The best response is to ask the man who at the organization contacted him. The contact can take him to the appropriate area and give him the information he needs. If the repairman cannot tell you who his contact is, call your supervisor.
26 Case Scenario # 6 You are just coming off from work at the hospital, and a physician asked you to fax her patient’s OT evaluation findings to her office fax. The findings are ready, but it is after hours, and none of the physician’s staff are available to receive the fax. What do you do?
27 Answer Don’t send the fax to an unattended machine unless you have been assured that it is in a locked room or has a locked cover. You have no way to ensure that someone will not see the fax besides the physician or his staff. Leave a phone message at the physician’s office asking them to call for a fax of the OT evaluation findings that were requested. Make sure not to leave the patient’s name or other identifying information on the message.
28 Helpful Hints to use When Working With Computers Review your organization’s policies on using computers Do not use work e-mail for personal messages Never share or open attached files from an unknown source
29 Helpful Hints….. Never send confidential PHI in an e-mail unless your facility has a policy that allows it and mechanisms in place to protect the information Always double-check the address line of an e- mail before you send it Never share your password or log on to the system under someone else’s password
30 Helpful Hints…. Always keep computer screens pointed away from the public Never remove computer equipment, disks, or software from the facility unless you have permission
31 Exceptions to the Rule Laws that require providers to report certain communicable diseases to state health agencies when patients have these diseases, even if the patient doesn’t want the information reported. The Food and Drug Administration requires providers to report certain information about medical devices that break or malfunction.
32 Exceptions.….. Some states require physicians and other caregivers who suspect child abuse or domestic violence to report it to the police. Police have the right to request certain information about patients when conducting a criminal investigation.
33 Exceptions….. Certain courts have the rights,in some cases, to order providers to release PHI. Providers must report cases of suspicious deaths or certain injuries, such as gunshot wounds. Providers report information about patients’ deaths to coroners and funeral directors.
34 Reporting Abuses If a patient, a member of the public, or an employee suspect that an organization is NOT complying with HIPAA, that person can file a complaint with the Office for Civil Rights (OCR) in the US Department of Health and Human Services.
35 Enforcement Breaking HIPAA privacy or security rules can mean either a civil or a criminal sanction: Knowingly releasing PHI can result in one-year jail sentence and $ 50,000 fine. Gaining access to PHI under false pretenses can result in a five-year jail sentence and a $ 100,000 fine. Releasing PHI with harmful intent or selling the information can lead to a 10-year jail sentence and a $ 250,000 fine.
36 Third Party Contractor- What is a “Business Associate”? A person (vendor) who performs or assists a provider or health plan in the performance of: A function or activity involving the use or disclosure of PHI, or Any other function or activity regulated by the HIPAA Privacy Rule
37 Business Associates Examples of business associates: Transcription services Physicians Utilization review contractors Device manufacturers Accreditation organizations
38 Who is not a business associate Most delivery services The long distance telephone supplier Housekeeping services
39 Summary HIPAA requires organizations to have policies and procedures in place that: dictate how employees can use PHI when they can disclose it and, how they should dispose of it
40 Acknowledgement My sincere thanks to Dr.Elsayed Abdel- Moty for providing the materials for this presentation.
42 Which Area is not Addressed by HIPAA? Insurance portability Hospital accreditation Fraud enforcement Administrative simplification
43 What are considered “covered entities “ under HIPAA? Hospitals only Hospitals and payers only Most providers, clearinghouses, and health plans Accredited nursing homes, home health agencies and hospitals only
44 What are the two kinds of sanctions under HIPAA? Egregious and inadvertent Criminal and civil Warranted and unwarranted Security and privacy
45 Which organization has been charged with enforcing HIPAA’s privacy regulation? The Joint Commission on Accreditation of Healthcare Organizations The Office for Civil Rights The Centers for Medicare and Medicaid Services The Federal Bureau of Investigation
46 What kind of personally identifiable health information is protected by HIPAA’s privacy rule? Written Electronic Spoken All of the above
47 Which of the following are common features designed to protect confidentiality of health information contained in patient medical records? Locks on medical records room Passwords to access computerized records Rules that prohibit employees from looking at records unless they have a need to know All of the above
48 Confidentiality protections cover not just a patient’s health information, such as the diagnosis, but also other identifying information such as Social Security number and telephone number. True or false?